23542300x8000000000000000258111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:55.905{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF891629EDB13495AA7412461E880DB,SHA256=8133F7C6CAC2B90BE59D8E5AE915F09473634709332368F4994F0D1848CA979B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:55.716{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290C76AA8D23B831CBD1064D8AD8FAF,SHA256=478B1950BD2497D41FD08802B2FD970431C970B9B13478168EC16AA4A09E1737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:52.329{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50012-false10.0.1.12-8000- 23542300x8000000000000000110966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:56.806{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB617CD9757DFDF260B4E5F6976CC04E,SHA256=C0A835E8C11EC8E7378B3DBDBA6122EC98FA300C262C90FFADA9688931507453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.888{F522A29C-404E-63DA-D900-00000000BB02}4532ATTACKRANGE\AdministratorC:\Windows\System32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000A.logMD5=0F5C6E0B6268ED2FDA573C7D2975F2C2,SHA256=C9C9DBBB044676ABEAD195E653671F3FA6B15C57EA43A71E56C0B21B83EC4D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.882{F522A29C-404E-63DA-D900-00000000BB02}4532ATTACKRANGE\AdministratorC:\Windows\System32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100009.logMD5=95ACA2FD15856679973AFFCD46E3B30E,SHA256=18B94E0AE943CA854EAA31CCD8838E70D14571104F888C0E3933B3E7708C93E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.856{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.854{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.846{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.840{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.837{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.836{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.834{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.811{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.806{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.792{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.788{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.782{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.776{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.768{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.759{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.753{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.746{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.739{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 354300x8000000000000000258115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:55.095{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000258114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.710{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.707{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.467{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5BE5562F3B24EEBDBF493376ADCBE,SHA256=4A9179D9A0A0547605F34D87429F923013A7ABA74958233480E2C7585C93A522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.381{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.376{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.373{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.372{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.371{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.368{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.363{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.360{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.356{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.354{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.334{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.323{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.321{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.302{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.294{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.288{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.282{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.276{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.271{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.267{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.261{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.255{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.248{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.242{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.240{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000258141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.169{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.165{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.163{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.161{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.155{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.151{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000110996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:58.204{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C449FA6556AEBAB7EA1EB48EDBC12581,SHA256=2620D81AE6AB50469A430BFB39AB5246E305131FB66D26F14D40269BCD7E5118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:59.072{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D280916D262E59CB7893ED14C44AEE3E,SHA256=C6835A2366FF4AEBF3A9596E547B8353385823CFFE7404CECE4FDB3F959DAA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:59.322{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775662BF39598133B977E90D762DA024,SHA256=2071A2DFA2AF128FE2AF68F629D0B9F94F35761AF7432B2C5FCF614FEC81FAF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.835{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.834{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.818{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.799{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.751{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.741{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.723{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.711{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444EF04063501DEF33083F5C0AAA6BE7,SHA256=F19EE1871FF61146853B07B278AC5EC1A492FE4B11DCF1D1AA4877CE9BD59FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.708{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.706{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.704{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F1670D3B8A6FA12A9CB5E18F2E76A3,SHA256=CB83B5B9195CCB716C04487CD6355913253A5BF156E84B0C75E830575DB0F7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.702{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.696{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.692{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.685{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.684{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.682{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.680{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.173{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.172{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000110998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:00.413{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE35F25FC421FD5E046189FE8A7589A4,SHA256=F554E7C99E6A685E46922FD09603B5BD064F16A68D88192C7097D8C79214A380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:01.507{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA5B76B354EB516049E600DEBBE25FA,SHA256=7A2E1C6656A5AF639742950C870CC8FEAE7A44470525FC4FF6E3947CFD96A180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:01.495{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F6DE5520342D133FBE2BD804496C5,SHA256=2046CDA5FF9593358A3D677F435752F339A3F5B46A0469E21F61F48F7B937079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:58.162{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50013-false10.0.1.12-8000- 354300x8000000000000000258164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.124{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:02.579{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3831E502C4AF35A792E1FCA44D6D7D76,SHA256=C96187B905E7D9CFCB01A085B8DC24CF28CBB6B6D5AB918458CE0A11089837FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.651{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.651{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.115{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E6E0184F7BC8709FD77347BE8CE7F4,SHA256=8B1E58A56391FD6431F6EDCA25E90AA63769F4ED4B7043B60B0B244A578A89FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:03.666{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9EADB6F6E5E8DA185A96B3DF505429,SHA256=7AE303CE021AC3720CDDB64FA56050D6EE1E7D1F32CCCDC0C46E2E0B06EDE383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:04.147{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA769E2039252EE60F8AD0B91C1C4C8,SHA256=BB086780964F3BCD859E5863AEFF8EB8F18A08A0DF8C34E89BAC18BD1AC37526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:04.748{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3563C3CF37C7AB4A79C04BE05BC17AE,SHA256=EF7FFC92241824B2DF208E8FD3DAF63791E21E45CA972EC8A52694F9830423C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:05.701{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB600585764C8CE76F398DA1DD55AFF,SHA256=7D7ED0BC4601ED6270F45C1568B2A905E8AFCD58720D40DBD60766D36F750F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:05.842{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE82BECC429A863E02789D84F57CAC98,SHA256=7F8FFBAAF8D9B1072667066893472B3878B1FEDA53CB84C1127EC6237D2D376E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:03.275{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50014-false10.0.1.12-8000- 354300x8000000000000000258210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:05.132{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52395-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000258209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:07.341{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69D499CC2C57CAF74161E24F966A15D,SHA256=194C30D82E0A545DF51538EAC507A29BBE04C764482833B8DF041EB38832D476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:07.044{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53E1CE66CBF09EEA3AD0F480CFF594,SHA256=C23E468CD2ED449AC06F01AB169CD0A5FADB09E42DE54883F2DB3AF8C6741B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:08.937{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E92D5C2D99324EA8DC92631C8754342,SHA256=2B6F6D95DD08471ED66FF21CB24AD1CD82302A7A84386B1A2F12BF48F3F3248F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:08.129{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F514028689F1BC0E55C8711C7FD922C,SHA256=398A20F5967B973A52B1CB35D1940A54C8718FF7F938E75A983FF2CFE6EFEA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:09.223{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2782ED2A251D7314D6661EB0A507D9EE,SHA256=18DDD65B4973D7A52DD00C59BF4D64D8FD6FE44583B96DF08F2F7E2D15D0B462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:10.545{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F325D949B862AA78667509BDBCDD799,SHA256=B5426BEE988FDB8D9704B57B825E8A1B0FAA217E8566326912EC09880A03C66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:10.320{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1D59F37BE2891556DF40F41C18CB2A,SHA256=A9BEFEAD855B710F63B8C407E5E582079AA1DED06D73E604B1DDDFB0ACB70520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:11.970{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\respondent-20230201102532-025MD5=C992C93F6889836CE81093D64446FB44,SHA256=44CC6EB9534D1C68ABEFC8F37C94D933CD5A53D96A5B79ECC0CFE8E440E1AC73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:09.159{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50015-false10.0.1.12-8000- 23542300x8000000000000000111011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:11.403{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EB3140686A07BFD1504F98334B10A4,SHA256=D0003522912EB6CF2913CF3EE7F78C8C787E9A1CCBA0426FADC903DBA93D457A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:11.339{A4BA2B7C-3E06-63DA-1100-00000000BC02}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A6DF1650331BA0D87647EAA8F9192C7,SHA256=177061C01C71B6036A53692F7CEBE3C2EF3572DEA3255CAAE1556B657856BA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:12.991{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\surveyor-20230201102530-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:12.154{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713CA82911CCF903F8E5EBB94CD6EB11,SHA256=3358FC8665CE5D76D3D05340057DB248231F1F8A89427856090F550072C98B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:12.392{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977EABE077B113D5E4E5FE218BF5C9E4,SHA256=C347267F407DD534565AD7095D89D46780E02C65761745F32278B2D7560DC270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:13.764{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E5513EE5C676137D04F08EDD772520,SHA256=FF4FD0E143CBA92E6E363A0737B6180C170D6DDB8DF0E18A44460EAEE7CDBCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:13.492{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027503CF488FCC2D85CD6A4F5DDAE69D,SHA256=A009329719DD717C60311E7CB7D04CC30EF810EA345F06CEE0A46800993160FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:14.567{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E63F0E381752DCA13B52500A8610A6,SHA256=18BBD8AD7A63553C4238296973E5B100F3C1DE9D6362130DFF248858F659082E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:11.122{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.594{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3439CF6F8BF19CA0F5339275608ECFB,SHA256=BB7BFEEB9F0A7946130FA5D8EFF741B632B9FF099670E9C35FF5F65901833258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:15.515{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=087A3F00A29E6FAE4BA2AFEC5245B00F,SHA256=9A8847B05C0318551A9EE6B4C89F70D6E17F80BE49826498513068A146DB82A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:15.371{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F99C8EB3C0CACD87276EFB90864F53,SHA256=08FC38221C0D953EC1FBF1FC79FB7A5D38556DDB6C8940BDB36E32783FFB541A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:15.695{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD54F9065EDF011DD711CBA0C29C85D,SHA256=9BF42B5337A11F232F962897F6A672DA9480553B71ECEF27117E82BD86DA5140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:16.972{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982E6DD15F0CA87BFCC597B10EFCEBE6,SHA256=A5ACBCD05016C9CA0CE1DA04A24799958F5A0C693335C2540914F8837A8ACCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:16.174{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40D8A5366CD1E40A870D113A2FCA6E3,SHA256=499B6A132BFA7A72661D23204512B786CAC09B0030685CB86CF0AA8CD01EEA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.295{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50016-false10.0.1.12-8000- 23542300x8000000000000000111020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:16.795{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A190724629E7363813E7BF6300009B,SHA256=9F0458D047BFF4A9040FD64D763F0266DBA6C3A78EB882FA4C87193D54681A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.893{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.892{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.882{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.867{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.862{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.858{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.848{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.823{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.818{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.807{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.802{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.795{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.794{F522A29C-3E0C-63DA-1100-00000000BB02}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=504DD3C6FD24CC1D3BE7B4441EDAD862,SHA256=3D0AF6873DDAADF40CCE56D8C67A808DBC1672754735739BC464927BD4DD2759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.788{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.780{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.771{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.761{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.753{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.744{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.720{F522A29C-4060-63DA-E700-00000000BB02}58685992C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x8000000000000000258224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.714{F522A29C-4060-63DA-E700-00000000BB02}58685992C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 13241300x8000000000000000258223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-SetValue2023-02-01 10:52:17.068{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9362b-0x40140fb6) 10341000x8000000000000000111050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.387{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.385{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.380{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.376{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.375{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.371{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.361{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.357{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.351{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.347{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.341{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.329{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.328{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.307{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.301{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.295{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.289{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.282{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.275{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.269{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.262{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.259{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.252{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.250{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.245{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 23542300x8000000000000000258252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.755{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.579{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE3A8A48B440B2F6993297D5CF294F,SHA256=3BCC857E300F181060F2DF824147A61EACB73F232AD372AA05882410939B4E35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.268{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.264{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.261{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.259{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.254{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.250{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:18.005{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABDD6095D540F9BCEC9DEBC9C0C49B2,SHA256=4AE58F0054571FBBD87135BC86576416EE8D8A137241BECF43E87EDA8B19693C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:19.386{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F732893BBECECA5F09487521B5AA7A9C,SHA256=1CD517C98432B41BAE6657BEBBFA6B8EF577BD075F1B009A34A951838F4B8D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:19.091{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309871E178B29BF92FDDEFB85502E8DA,SHA256=DA7BF436CE0A9035C28769C63DF9416293F884C96D024B6A502495BB2903BF27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.998{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.996{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD99B575784D3F6F8DB065059FBC2D66,SHA256=FB1CCE2952D742B9F17A5556A2ECFC3F2A16A741A86C1D7C6134F69018633C5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.995{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.807{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.804{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.799{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.795{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.793{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.792{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.285{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.284{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 354300x8000000000000000258255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.712{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000258254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.115{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000111057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628676C:\Windows\system32\lsass.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.325{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-2100-00000000BC02}876C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.196{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0B16C0CFA27C7488EFC8C6E1A6B18F,SHA256=6F967AFE0944D3378FA4C4CB14BE04BE7FC826089709E8A847B1A31F759167E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.647{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-4060-63DA-E700-00000000BB02}5868C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.089{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.088{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.075{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.055{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.030{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.021{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.009{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.000{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:21.715{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:21.262{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7633BDD261D6435C3F58A1760F25C,SHA256=13656106D6E442AABE6C2740959D05C6C61ED6A059084EA6F939C132631A69E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:22.654{F522A29C-3E0C-63DA-0D00-00000000BB02}9202204C:\Windows\system32\svchost.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:22.591{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E0A3D4D1A0DA538F95A34AC9D5CCBF,SHA256=5B357B6B4C47769413B2D2E1A4457744FD592AD3F38637EB7676411BA930C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:22.366{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0E7352980C0537F5E0C27B369E9E8F,SHA256=716FB6418BADB35DDB0431787C5550855B3BEF951A61BD2F521BB4B9FC034109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.467{A4BA2B7C-4467-63DA-5901-00000000BC02}10483456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.467{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA0393755FF019F7CD9F2AA91040A5A,SHA256=9A01FB72E54220BF787AECCB8F54ED4FB3B24455B7E17F319F1FE679C92C9B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.790{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50018-false10.0.1.12-8089- 354300x8000000000000000111074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.130{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50017-false10.0.1.12-8000- 10341000x8000000000000000111073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:24.210{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE9E07E666243FBE44F9DA15972A39,SHA256=913853DEE15D185C2961B9500B5467B13A2F8660609B80E1A577A184B27A749D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0500-00000000BC02}412428C:\Windows\system32\csrss.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.603{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.554{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D5FEAA6212EDEF37248D0ECFFB97CC,SHA256=1E98B22AF6604E57E96AB9E0F0499E7FD2995F744CBFFE562C7014436926D4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.429{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6678253902B0AE492B42A4D0C5FC44AD,SHA256=2638CA0E46C23EFAF759D5D476AF5D51C1C1EDD0E326CB561218E82659963A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.116{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8AA1D5DDDAD2221A5DBA1EFA343399A0,SHA256=A3FB0A96512148B0C88F50ED88310C6ED67CB2A9EB5A07E303E5670A13D971B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.003{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.000{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.000{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:25.798{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A418D21BBCEEA84154BD0AE28DA5E0B,SHA256=0DC4CB8F5CC2BD7E3485BA47CBE7D055E6760AF376731703961EFE47F0DBCC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.646{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD5394CC44B21C6F2D587614420C53,SHA256=E803534A9AD4B932270903074582222EBD59455AD90299182988846932EE0E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.178{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=92D86D63CEEC55D4F2F771DE7ACBF992,SHA256=B075B4556ED4F5C6B84289FFA66ADD35298EC69D2BE9130FD6BCA699ADD382D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:23.038{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000111123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.822{A4BA2B7C-446A-63DA-5C01-00000000BC02}40563884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.728{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BC219B22A2033867FC66A525643170,SHA256=9977148CCE6E2B56AAC19D7359114C466FCFA089AA9FFA6BD683A47F9A2EBD40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.651{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:27.422{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EAF536E6B57E45A41523F1C8AEDF4E,SHA256=06B6920DFDDCEBC5971376677B1DC6C849C49435D959584B557AE7C257B07750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.992{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.819{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C2E26D95A503E4A60E54A828D5A0F6,SHA256=FD01FDFA2B65C1FEAAFAD2DF2C93BA3F09A6E4F267EFCE2CE15471216535346C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.476{A4BA2B7C-446B-63DA-5D01-00000000BC02}40443588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.320{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:28.907{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFE46D0F6B78357200EB47966526FE0,SHA256=047D7416E921853C3253F9518B2F395DD9E964AAE488D655B7AC2E04C8F27760,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.285{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50019-false10.0.1.12-8000- 10341000x8000000000000000111152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:28.175{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.990{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000258292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localInvDBSetValue2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exeHKU\S-1-5-21-3145359389-666042155-3036903564-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\swiftslicer.exeBinary Data 10341000x8000000000000000258291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5081052C:\Windows\System32\svchost.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5081052C:\Windows\System32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-404F-63DA-E000-00000000BB02}50281088C:\Windows\Explorer.EXE{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.799{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe-----"C:\Temp\swiftslicer.exe" C:\Temp\ATTACKRANGE\Administrator{F522A29C-404D-63DA-93D1-0D0000000000}0xdd1932HighMD5=FEE7C379F3A555C5C821E872EC384A91,SHA256=1DB93EE81050DA0BA413543F9FBC388499A466792F9A54EA6F1BBDB712BA9690,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x8000000000000000258282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.018{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7674B695C09C4C32E72B7F1BED2611,SHA256=EC5E336F3B8E0B45C3987D6F10F8D81FF0B2B0D6CBD23DF141FCFFCDC929FCB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.983{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD99063B7A9498A3B2CA6E20B642D65A,SHA256=7BB802CCA739C9CFE5C8ABCF0F49E2A282D1EDF4B63836A47B96389F40BAFC71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.735{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000258383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.996{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.993{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.muiMD5=D0764AC98CB8B21FF529D8C3011D0CCD,SHA256=1B89A64E98662FE20D02C9576634F684EF741D275779C34950F854F49B3AB84C,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.991{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.991{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.muiMD5=F500548BD97F4A74EF166C45C4BEAE14,SHA256=E1EAF788541A48993DD3262411C2A5E51FD32C713226C7F6E810FBE07C5833E4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.987{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.muiMD5=B270B714AD6B56A7069CD97C5A2CCC9E,SHA256=805762A81560E87FEF194C8182CB8D4601CB05F2952F1D3DEB6A2C1D063AB272,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.986{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.984{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.muiMD5=E8AB6A5A04F4803CCFA2F7CF7776EE3F,SHA256=E6349168930616E6DC36FCD0DB870056692E136C5FE0AFFDE9588BEEF8FE8A9E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.975{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\UMDF\en-US\SensorsCx.dll.muiMD5=FDDC23D7C1891203992DEE2ADB397E81,SHA256=E30071E18041441AE3C17AC2AB775CFA44CEA9E6AF97E7D42C97989949B4C44E,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.952{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000258374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.918{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.902{F522A29C-3E0A-63DA-0A00-00000000BB02}652384C:\Windows\system32\services.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E09-63DA-0500-00000000BB02}4201768C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.840{F522A29C-3E0A-63DA-0A00-00000000BB02}652448C:\Windows\system32\services.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.833{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{F522A29C-3E0A-63DA-0A00-00000000BB02}652C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000258365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0A-63DA-0A00-00000000BB02}652C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.715{F522A29C-3E0C-63DA-1600-00000000BB02}12922636C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.699{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E09-63DA-0500-00000000BB02}420436C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.643{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\SysWOW64\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{F522A29C-3E0C-63DA-E403-000000000000}0x3e40SystemMD5=F94C2242DE208AA0CD1A64187165B448,SHA256=0EF0BB79047494273B2F8B44F1080A1458DEF6DB2828AE517380D59CB29D7291,IMPHASH=DD443828EFFA4923A7206DB96293A619{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000258353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66623EBB85F5F5601FDF6D10118EA7D3,SHA256=977C94BB0B6948B13E2F42AD798270C9BC61930FB8B434F82A2243898E02A1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954A0012334B16A8E52055E2C6C06161,SHA256=2CE51CB88D92F3FB16A0BFE23F2188C4317F6BB1E9BEB733CBD64129AA3E3A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8AD926B384B48561E7F32EF9D802377,SHA256=33543155EBF596C34EC7DD8A1B0103612853EFC188D7A25B3B74D28EF7FDE255,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.574{F522A29C-3E0C-63DA-1600-00000000BB02}12922312C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.574{F522A29C-3E0C-63DA-1600-00000000BB02}12921328C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.376{F522A29C-3E0A-63DA-0B00-00000000BB02}660824C:\Windows\system32\lsass.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.376{F522A29C-3E0A-63DA-0B00-00000000BB02}660824C:\Windows\system32\lsass.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.348{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.282{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.281{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.281{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.275{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.275{F522A29C-404E-63DA-D900-00000000BB02}45324748C:\Windows\System32\taskhostw.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-404E-63DA-D900-00000000BB02}45324748C:\Windows\System32\taskhostw.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.210{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.194{F522A29C-3E0C-63DA-1600-00000000BB02}12922312C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.194{F522A29C-3E0C-63DA-1600-00000000BB02}12921328C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.178{F522A29C-446E-63DA-A101-00000000BB02}59005748C:\Windows\system32\conhost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.163{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.147{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-446D-63DA-9F01-00000000BB02}24284376C:\Temp\swiftslicer.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Temp\swiftslicer.exe+5c555|C:\Temp\swiftslicer.exe+180c8c 154100x8000000000000000258300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.134{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Temp\ATTACKRANGE\Administrator{F522A29C-404D-63DA-93D1-0D0000000000}0xdd1932HighMD5=AC7D85F15AF7E892847AE2DB2CCC2B1D,SHA256=969D91FFA56C80F82F893559316F6E1F12DC6C023411C43DAEDC80E8F9AC2652,IMPHASH=37777A96245A3C74EB217308F3546F4C{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe"C:\Temp\swiftslicer.exe" 10341000x8000000000000000258299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:30.812{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE39C6C240544DC6CA66888B2EA2528F,SHA256=77121B7CC9A0C0D62B69EF6810FF1613F67DD91ADE7A5811291AD258AC124A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.822{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.822{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 23542300x8000000000000000258405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbtmp.logMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000258404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.478{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbres00002.jrsMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000258403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.439{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B0727747C9EC566E53A04AD1685318,SHA256=236EFF537C36D3BF9F407F62619EE8E43F804549473FF3F721F29E4F2CEDE7ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.353{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbres00001.jrsMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 354300x8000000000000000258389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:28.212{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000258388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.221{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edb00001.logMD5=28D350C51D12CF11123F531A6E940F64,SHA256=F2CE69533DDF170FC66B926CA89FB8618F7B9398FB7B3D2BD9B6C55C731D1717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.108{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edb.chkMD5=2A19195B6E990FB994946F52F9B45C17,SHA256=730BA43CCD1EDF83032957BB5E815FC66F1586F7B4539461755A229A1C753A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.102{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\gmreadme.txtMD5=7111BFA692A22E4B3C07F1E6C6FF6F72,SHA256=10BF6E15C08C8C7F5D96B658BAB78AED86D1DE20F08E7871EEFBA0939AF11A02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.102{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7111BFA692A22E4B3C07F1E6C6FF6F7210BF6E15C08C8C7F5D96B658BAB78AED86D1DE20F08E7871EEFBA0939AF11A0200000000000000000000000000000000.txt2023-02-01 10:52:31.102 23542300x8000000000000000258384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.080{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\gm.dlsMD5=7F29903CB8F5590D52DB0C9F97049A25,SHA256=3229B09B9D7D9F3F4793B0D9B34FE6ABC75CFA4A2503C0C90F43FF651BA7F2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:31.064{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4446C668E277D3AC92F046E5D62B004A,SHA256=20A685C5305952DF4B3BFE969DC7976537C6C6F3A958C82AB22459E560B7DC07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 23542300x8000000000000000258417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.197{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456FEE16E1E0C8D6D841FF1AB7BC3C83,SHA256=9D15C04F9DA3B3D1ED45EE377758B54B7A8A1C179C656015D48747DEDBFE837E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.194{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2E4666C86735B47E0870402E35EA568F,SHA256=658E23C7F00815620A33338AD5F3B80442EB479B8B145228C4B9C9720039ECD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:32.133{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656D94CFDCAAB95BEF16E15103B732B3,SHA256=48DF504E03B8578B1B88EDF3CC0D640C9A1E1F90F2E071B61E18FA46189AA893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:33.029{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDAD5B3703A04CD8E801AD28FACFCE8,SHA256=F72ECE9F152FA66C36DBFD80BB729BE473CB8718AFE7A799AE3CC814ADF0C8A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:31.239{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50020-false10.0.1.12-8000- 23542300x8000000000000000111172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:33.232{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9A53845D7E1C3E45FAC0F6CD7AF4FC,SHA256=9431C012896BC024FE4298FE7F0474F3D2AC9F18920EE3A7227088CDD2B1ACF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.448{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.447{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.447{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:34.334{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89576A017661C93B20FC507C9FC4F0D,SHA256=BF4603426E3070DD3C497594DD174C63B713CAE5F8956E3D992AFC9825DA7E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:35.832{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1A532A30033498504D780AE081D81A,SHA256=6F107543BAD8140456F16CEF7727FB5FF4D6E9B0E61C22CEADEF2BB307304095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:35.832{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F64C636832C96A2ABFDAFB2BAF1E7A,SHA256=6EE6FDAD2F31BB8337237662098B79441AD7AC2C985CAE3B8E8C0518EC4DCD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:35.434{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC28DEAD2EC6A6177936E8E7EA72C3C,SHA256=0E2877D621769B5A031782F6B152B56EF723A9659FDB25D5085FD4BD3A53B40F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.099{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:36.530{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516DD3F32F603CB38B6FB52003C005C,SHA256=C0F2F451CBB896AFD9CDC7DBB7247462A97DFBFEF4AFEFBB37FBB47BB095F2B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.950{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.948{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.939{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.929{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.925{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.919{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.912{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.874{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.866{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.854{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.849{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.841{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.828{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.817{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.799{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.791{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.772{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.764{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.720{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.717{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.777{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF554AFAC85CF959EBF0D76D493D3B3,SHA256=634D474E37B879C87AD106ACA02A8434B3C1801AFFB86D37DBF977B117311ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.399{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.397{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.396{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.392{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.392{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.389{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.388{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.387{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.385{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.378{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.369{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.366{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.360{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.346{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.343{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.310{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.303{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.298{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.292{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.284{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.279{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.275{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.268{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.262{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.256{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.250{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.248{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000258456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.429{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.426{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.423{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.422{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.416{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.410{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:38.877{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBD43F4DCAED416390C870783BE7B6C,SHA256=F534ED3D64FB3512E07B027B3515A0E1A2DAF2F97777A68D413122B7C804E9C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:36.313{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50021-false10.0.1.12-8000- 23542300x8000000000000000111209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:39.854{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291D28582C142954EA725AD4930ED910,SHA256=0EBD375DBB4177422F60DC40AF33A106010150554E62D60281DB0F100960FCBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.957{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.951{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.946{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.944{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.942{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.941{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.434{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.433{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:40.948{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3529A1C55D592AF9222C4E7D19F9FF93,SHA256=2C1A15DF6AC85C2C6A9D05D7D560E001722C9EE8899EF1E0E558860D2668C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.560{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C72B8454329310C6AC170E5683AB57,SHA256=B108AC1008897BE5EAB613E44792BB5CAC9AA7D952D41F2BC7C47809F4DF86DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.515{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.515{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.511{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.508{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.507{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.506{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.505{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.492{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.481{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.451{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 354300x8000000000000000258470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:39.161{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000258469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.443{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.433{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.428{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.425{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.420{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:42.249{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9F06B24A3059D43E0EDB8573516A58,SHA256=D1BFBAB78464CF7B298F34548E0526C6E4047E682DE15B1ACB28DC9352DF28E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:42.219{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4109D09C6EEE7642CA7F89F7FF2BC1,SHA256=D8674530931282F83BB902AB7DF47C902A2FCEDE8D9504A87D8DC3C6CECF855D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:42.037{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302BDDF1B0D37311CD9F9F53EB0B502A,SHA256=675EB0AA361CA62A83ED87621DF80F9E760A36664510798345430A5511E43D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:43.023{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F30AFDA3EE0B85BE1410202476D06A,SHA256=1E68DC7FE681CBA715848460DA143DD5BE8A63D61FAA34EFCF0748CB833E98CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:43.122{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D01BB640F7569D943692CC9A1413177,SHA256=91A7C74836C5CDF6E1DD3424C4BAEFF029F8582A0B864A60FD112B17766F123A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.633{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BD83E90CD57FAB2D58A81F45990F2D,SHA256=CA37E44F9A22ADA5F199C24AA496CEC9456C02C06E824321E2C29DE5874BD268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:42.212{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50022-false10.0.1.12-8000- 23542300x8000000000000000111213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:44.219{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A106D0DA5C252E55BB53F0F599191A31,SHA256=6774946337F41058B1D4ECEB87AE321DD73C32428465E19E573622F479E18FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:45.552{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A34A13609477878FC17DC54CC2405225,SHA256=834E4F7CBDA63F38043083D96E61C4C807BB84C1AD85E5E783798AF0364E8C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:45.334{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D14229943A622355D54DB0BCB4D1A6,SHA256=C5FFA19C3B6E505EDE6436BA23708FB4FF145731C5E14CD097D52E4E9A442277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:46.420{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE42126198A8ACBBC1BE2AD7388F172B,SHA256=4926E5805F043335096C912D592E4508051BBBE8C921F0FF181F7135FF9B7880,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:45.055{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000258492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.758{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local52403-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local389ldap 354300x8000000000000000258491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.758{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local52403-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local389ldap 23542300x8000000000000000111217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:47.494{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01962F77A2139B296B5619B8A29B8056,SHA256=2571408D598F230F94F6A6D79DC4D92AFB7050F68C37CCB7DA03D4EC0B0D9B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.506{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08F3920A1159FD7C4389CA2EA015B74A,SHA256=F30A91A90C71D5C7984FE24A505B96AB4D059221BC6F6200F987AB3451A27762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.450{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.444{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.444{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.443{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.443{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.442{F522A29C-3E09-63DA-0500-00000000BB02}420556C:\Windows\system32\csrss.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.427{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.427{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D91A5FEB696B1D927D465DB4A51560F,SHA256=93E6BADEE5D498DA605810D24ED859D2964A2DB4EB08A34B8E78146C009BF44A,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000258497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:46.239{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000258496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.332{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.332{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.332{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 23542300x8000000000000000111218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:48.577{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA8AAB643B1AFEC5CAF2DCC088FCAAA,SHA256=D3A62D2B853E8032FCC291623270217CDF5EF64E2722F4754914C6BF55DCE1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:49.656{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB503D37FB1C3C8E238405EBC497B22,SHA256=9889AA1D5E2934968EA3B41481816040E3C569F83DF53C9B2D917414B93A284B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.994{F522A29C-4482-63DA-A501-00000000BB02}61164268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.785{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.782{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.781{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.777{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.777{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.777{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.665{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39957C1E461A74E157997CF6780BE425,SHA256=BD1354C36A91E3B57DEC59020A16222D54A01413D407BD1E4AEADECAF398D0C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.656{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.653{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124F814EB6E0D8174A46CBEDB10AB0DB,SHA256=038B342CF34D810A6256C838C753A5B3FE9573A12403FD23E5327F8FD58DD878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.642{F522A29C-3E09-63DA-0500-00000000BB02}420556C:\Windows\system32\csrss.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.643{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.643{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.643{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.642{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.642{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.642{F522A29C-4482-63DA-A501-00000000BB02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.642{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EE65758037397FF7E54A66DF8EE1A979,SHA256=2830D6AFA326FF27EEA0B8701449EFCF6E81E03CE2E20A6123B45F5DDC1AB7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:50.756{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E47E9AA45ECB8ED2979798818CE3302,SHA256=FB45D2551E7E1FF78847177646AEC0F1B85F55679838131729C320672DF8D357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:47.323{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50023-false10.0.1.12-8000- 10341000x8000000000000000258538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4483-63DA-A601-00000000BB02}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E09-63DA-0500-00000000BB02}4201768C:\Windows\system32\csrss.exe{F522A29C-4483-63DA-A601-00000000BB02}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.518{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4483-63DA-A601-00000000BB02}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:51.519{F522A29C-4483-63DA-A601-00000000BB02}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:51.847{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D1747A6D11F72B01BDAEFA2356B054,SHA256=17828499811A130166F9C06EC25A2A6AD98B1942F51520046FDFF429C23E5337,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:50.157{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:52.946{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758E210134D9B04253BF92E77B521A6E,SHA256=108DE80B0D75FB61303905E431256E1E286C573BBFB28808A9BADBD373795AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:53.328{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b5f98aa993079d68\channels\health\respondent-20230201102512-026MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.452{F522A29C-4486-63DA-A701-00000000BB02}16005308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.120{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BB9A4818513888073187F6B66B0201,SHA256=153B2B38007A41897D002B03BC5F28AF7AAC5206A81B5D174DCE32C6F6EA7D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.106{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937A056DECC1DF493B7BED90EC8A7FE0,SHA256=AA0A709BA99EAFF08E32AC6F878201A45402ED0D51B8B1C979A92E47F2221AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4486-63DA-A701-00000000BB02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E09-63DA-0500-00000000BB02}420556C:\Windows\system32\csrss.exe{F522A29C-4486-63DA-A701-00000000BB02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.090{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4486-63DA-A701-00000000BB02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:54.094{F522A29C-4486-63DA-A701-00000000BB02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:54.340{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b5f98aa993079d68\channels\health\surveyor-20230201102510-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:54.058{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951CBF06DFE9FD99BE87165047525A77,SHA256=1713D9EBF4F2D8BE10FDEF144A61312F2E4B8F61BBBDA417D5F76F5E4E908723,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.668{F522A29C-4487-63DA-A801-00000000BB02}45004068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.423{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4487-63DA-A801-00000000BB02}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.423{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7EBF39B835CC1D3F7B43DFAE95989B,SHA256=2198B4476755C7E8CABAE568363BA3C8E58F8F04EED60A374C266F894BA551A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E09-63DA-0500-00000000BB02}420556C:\Windows\system32\csrss.exe{F522A29C-4487-63DA-A801-00000000BB02}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.407{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4487-63DA-A801-00000000BB02}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:55.412{F522A29C-4487-63DA-A801-00000000BB02}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:55.328{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E72CBCC417C0A42EB4105B3FA109458E,SHA256=7795DC4A6D7B564F5F2A6698C169973EAE12C1D479F926FCB1AF734EBAE4C007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:55.172{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C697E1ECC5918E9EB43FA6952892F0,SHA256=342C640CD5F45C8FF361FE8ADBC996F6919912CD3329123CE50B292AC13F787E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.996{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D07B55C5992CD457E5B13F1A76C5B3,SHA256=7F1926D5E6BD1CDE136D1C3850D1A6E6809F41A6A4D02B92500DCE80DA2877FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.967{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.967{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.951{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.951{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.942{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.942{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.505{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E09-63DA-0500-00000000BB02}420556C:\Windows\system32\csrss.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.489{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.491{F522A29C-4488-63DA-A901-00000000BB02}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:56.268{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37CEA7E4A9A7C2F535D86A7697A8471,SHA256=387E74FC8AE4F46FF917679676506AE3429BBE971A8F2B4655749A6FC0166D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:53.179{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50024-false10.0.1.12-8000- 10341000x8000000000000000258604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.864{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.863{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.854{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.849{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.846{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.845{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.843{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.821{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.817{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.806{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.802{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.795{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.789{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.780{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.771{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.765{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.757{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.750{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.721{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.719{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.322{F522A29C-4488-63DA-A901-00000000BB02}54725436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E1B-63DA-3800-00000000BB02}32483268C:\Windows\system32\conhost.exe{F522A29C-4489-63DA-AA01-00000000BB02}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E09-63DA-0500-00000000BB02}420436C:\Windows\system32\csrss.exe{F522A29C-4489-63DA-AA01-00000000BB02}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.291{F522A29C-3E1A-63DA-2E00-00000000BB02}26923432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F522A29C-4489-63DA-AA01-00000000BB02}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:57.293{F522A29C-4489-63DA-AA01-00000000BB02}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000111260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.381{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.373{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.372{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.370{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.369{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.368{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.366{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.364{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.359{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.355{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.350{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.347{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 23542300x8000000000000000111246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.347{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23849B520977A05ECC48EBFD77D3FC24,SHA256=AFE9C4A57BBFB685D37098CC7A9BA154F085CA75180DB92EC4E0697A3BD0B14B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.341{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.328{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.326{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.306{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.298{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.293{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.286{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.280{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.275{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.270{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.263{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.258{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.252{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.246{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 10341000x8000000000000000111231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:57.244{A4BA2B7C-3E06-63DA-2100-00000000BC02}8763004C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039390) 354300x8000000000000000258611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:56.051{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000258610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.135{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.131{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.129{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.127{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.122{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:58.118{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 23542300x8000000000000000111261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:58.428{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25178903A4B08018D875508B268E62BD,SHA256=AD99BCF5EC8C8115F379C03AA7E69046E0BF5E0EEF4C1801269801B5EC72B28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:59.852{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C8B88CE03B1E0529C8654025872C20,SHA256=28628022CBD629FA9D7AD1352E8E6ED3C874E804A8A263A8CC1DB06767FE3CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:59.528{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC1437C2A0627B4CC94BC8334E2EF42,SHA256=997704E637E5EA3357A8D1FD75D57981E69DFEC44E8A6AA1675810586F9F434A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.690{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.687{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.683{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.682{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.680{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.679{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 23542300x8000000000000000258616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.491{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE486E6500AA0E9D4B166062BE109C6,SHA256=20C355D96105A954ABA959B5A430CBE683BCFA7AEE6A081492CA41D10537AA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.475{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FF3C6A1827A818F49C53EBF2EBFB9A,SHA256=81C4BDBF7D9965B9184180390F2825A7417DB43B5027248338AA2707D31FDFF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.171{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:00.168{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 23542300x8000000000000000111263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:00.621{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B063DC39C15E54B5075B5E35C1B023,SHA256=3E62B43DCF14134B31A7215ED132FB9C1C6DFE9DBE146EB8BC6F96628FE24BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.784{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.782{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.266{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.265{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.265{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.252{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.243{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.218{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.211{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.202{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.196{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.194{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 10341000x8000000000000000258623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:01.192{F522A29C-4060-63DA-E700-00000000BB02}58684132C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EEA190) 23542300x8000000000000000111265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:01.691{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290EB0F9F08B3AABFD6A59F5DC47FD4,SHA256=F733C5500A58A7855FFC4875D32D86E5247F5536E2C04F93F8B5A5CADFAA842B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:58.258{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50025-false10.0.1.12-8000- 23542300x8000000000000000258638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:02.913{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA314063EDAB4D8E8CC314A3E23BC7BD,SHA256=A880CBE9B28A0A7052530B4D74F5BE351AC3B3B6128ABD5ADDB3EE13160DAC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:02.913{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B30942A8FFEA979E21D8A2034C5E11E,SHA256=53049AFE9DB81E746EEC6747268A6204A606910DDC59753571419BDB4E5024CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:02.093{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A13C93F00BBD6D65B7B246DDE4CA5E0,SHA256=84B25A9EB7DF87AD0105C73A24E263504D08A8944AB7E8FD196E23B1405253F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:02.772{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF85D6D17E43A938309B4FDE6D96E56,SHA256=178D4DBB6919553A42E6D37CC833415681970E1D2B38D3BF3574323D2CFFB30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:03.851{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCEE6DA32EF12E906C5AA2AF0466F53,SHA256=CF003B201F47AD190CB64DE1A2B0CB32A2B48D8CDADAF78265299A051197F442,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:02.007{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:04.945{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4E5D40685B092764C11EE06F57ECEB,SHA256=5E41549AAFFFB1C0F23C4AE6F2DD439FD3792328EE9A6CD095CC45F6A01D9053,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:04.129{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50026-false10.0.1.12-8000- 23542300x8000000000000000111269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:06.039{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AED4E1443B16484A66182E20E074F01,SHA256=64DD68B93788E11650E21D8B2B5B0853B821411BD290234B4A677DFE28BC465F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:07.893{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9C8BC8C50E644C04BA921523353260,SHA256=D9524BA99F619C4566B53B90122AF71C7A13D759D22CC3EEAB0FBCBE1592DCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:07.284{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754057DB5187F26FDFDC7DE6A2B626D0,SHA256=1DD6B9C3FE8F21C2227CD421722049A72C7F1153F6F2087464E842010CEF118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:07.133{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D086FB3F1D514533CE269680784102,SHA256=821DE90B4C706905A95585103E4DF41D5F33DEC17A5A661A704BD5F0124911BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:08.714{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539871F7FBA1284EEF717B3BF0CE48B9,SHA256=094DD22E795522EBDF357A5B1B111F0BF4A249E5E199B5246070403138E7E6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:08.231{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B245DE0A598AC2C3A218A83991CD3A7,SHA256=1CDD9A77AB34D278A5292877C80E44A63410B827BF2832F5F9C5E1AAF00A51CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:07.193{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:09.321{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6638A3E848056AA98EBDE0A58E21AA6D,SHA256=D123C3C8B67D1D78A2586431D01FE9A04CC92036A8E8EC2A4199F5BCAA8AF2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:10.406{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6798B9A4815EE3CF04B1D1888D37FE5E,SHA256=3F9C322EC5CA8AAFCF6CAB0C637FA195F17F19E863D1E1BA7C1703841ED7D1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:11.129{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82246BF6D623037B9B77D17177FA4E49,SHA256=E1E320ABC4D29F93E7D472803E1137B2BA89DE9A425F61B2C13C0193DE852A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:11.127{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3783C1AED0A1C490A620E2E2F7EE74EA,SHA256=15AE6FFF7418487DFC2B992BDBB2607011A836A91BED8F3C5CC961D4665F8FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:11.599{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7DD2540084C412103C0ACB2AF21797,SHA256=20BF42D3AE13B8D70853CADAF62AFBF2F99B5B26F62A19AB5EA08B2771094552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:11.348{A4BA2B7C-3E06-63DA-1100-00000000BC02}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0388F7FC406D262ABF85DCC6ED101597,SHA256=DDB4A5AB6C9710D25FB313A2CF70057D0F5F0AB27722214994C42AC7EEA965FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:12.702{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CCB38AC32D870395D667CCED516A8F,SHA256=470C3C8BFEE4FFF06C5704191296D42A97B9E91A332F71ADEE9921DEDA2D694F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:09.324{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50027-false10.0.1.12-8000- 23542300x8000000000000000258647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:13.496{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\respondent-20230201102532-026MD5=C992C93F6889836CE81093D64446FB44,SHA256=44CC6EB9534D1C68ABEFC8F37C94D933CD5A53D96A5B79ECC0CFE8E440E1AC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:13.064{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D7334E2E4773633E4DC6B5D1CD5210,SHA256=C61947BA525C60AE73EF0446E5508C7342A431D9EF8A6654ACC504A0E53DF011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:13.799{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2341AF41645E54218529BC1109E327B,SHA256=D90EEF347C375D10695DF6E4587E7B02CDF3C329B2256293ABB20E609AB5C33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:14.896{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA02207D83BDAF830AEC198DB5E89EA,SHA256=9E350BDA063160F9EA80DB747D03463B0704DCCAEE792C944487E6632953DBFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:13.079{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000258649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:15.611{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\surveyor-20230201102530-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:15.605{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1620D50EDDB95E85A4115473739E32,SHA256=2BA4742A496ED1C7D4152003E580F111EE37EABB65E7A5FFF35151AFB84853F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:15.980{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB04864E189F29B4A163815118973313,SHA256=75C69468F63AC690AB9B3E5033AFC814478573489E48F759B0765A5233D5BF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:16.980{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF54453820563869087734F09F0A55A,SHA256=290E156D141DD84BA72D14533CDAFDD38A552585FC9907CEFF3ACF387ECDC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:16.307{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B51209083E71397956C2018F1710F2CA,SHA256=B3853E7A5E17AA7CB1D770CF5FAF2E7D43179E0BA9354413F1BD695D17F7D3F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.941{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.939{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.926{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.917{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.913{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.910{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.908{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.878{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.867{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.854{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.847{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.834{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.822{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.813{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.801{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.794{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.790{F522A29C-3E0C-63DA-1100-00000000BB02}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E43B86F8E1831EE544FC406B24C11131,SHA256=A826582FDFDF209863E369F1F84E362CAD79A863085439404C2E83606AFCA99A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.785{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.782{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\chs_boot.ttfMD5=DD2B8A10E7836FAAF2DF405140A444AD,SHA256=364EA471C5CA390CE387896F316A62BDFB3BCB1F7D6FFDAD685C341AB77A4094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.774{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.733{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.728{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.635{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\BOOTSTAT.DATMD5=4A2D12A16430F72BA6BEB45B45A4A19F,SHA256=A6DB4811EF61EC5E314E7E455A36EFBAF7FBC450202DD7DD655E197ED3291150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.626{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\BOOTNXTMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000258654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.625{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\$Recycle.Bin\S-1-5-21-3145359389-666042155-3036903564-500\desktop.iniMD5=A526B9E7C716B3489D8CC062FBCE4005,SHA256=E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.513{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD6490B276031BB5B11CBB9A6AA48F8D,SHA256=76448B1D83C482932F0565F2D46BA106B8202ADBBB988D54D1994D1E2845E260,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:15.243{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50028-false10.0.1.12-8000- 10341000x8000000000000000111311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.391{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.389{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.387{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.384{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.381{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.380{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.364{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.361{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.355{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.353{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.346{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.332{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.330{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.308{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.301{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.295{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.287{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.277{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.270{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.263{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.259{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.254{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.250{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.247{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.246{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 23542300x8000000000000000111282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:17.063{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DB98C44613127E87A4347CC8DAA02D,SHA256=FA8651B196A4637FFFDC106E24692D902956194F69159C14A817CB0BAB6A208E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.759{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\ConfigureRemotingForAnsible.ps1MD5=F2560EF8E30FC86E62B74C702B0AADAB,SHA256=A28F6CC8A0409A90CC11522281EFCF4A242ECDA8D2E048DCEFF20193252FB366,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.759{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F2560EF8E30FC86E62B74C702B0AADABA28F6CC8A0409A90CC11522281EFCF4A242ECDA8D2E048DCEFF20193252FB36600000000000000000000000000000000.ps12023-02-01 10:53:18.758 23542300x8000000000000000258770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.756{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.756{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-TW\memtest.exe.muiMD5=04499A1B466F5A9114F6ECA361BA8059,SHA256=692DF1DDC7DD27CF0D220BF2EB4AFDFA680FC92E9D4B00832AE57A590435B796,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.752{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-TW\bootmgr.exe.muiMD5=716EC450ACFFD8056E284080517C24A0,SHA256=F71D401F529E16495B6DF52FACDFB2387CCCE18BF2A57ACBEF816FF49C6EE607,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.748{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-HK\memtest.exe.muiMD5=B800E038EFA2F5020C9D264F56C0C4BA,SHA256=DAE120D9715C11CB5354709B3022757D49840CB5C4AD1694F019D71A8FE25D58,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.745{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-HK\bootmgr.exe.muiMD5=725A66D9636402856477E13E70D32183,SHA256=67EC7B04E15CE18A8282BCEC626BDA0603DD3A5F52CBA464D354548272F4304F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.741{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-CN\memtest.exe.muiMD5=4F9E92457122C6ABE6A6DD884767875C,SHA256=72D1495BE2E07E76CACAB655F206567DEA7D4DE8563B0EFC27D04DB40A932795,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.738{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\zh-CN\bootmgr.exe.muiMD5=ECBBECA9B7ABFC54899ABF3750A6BA3A,SHA256=57D8029A52A444E74663C29A84F853A76997DBEF3289CE0C74D8C137CFFDAD2B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.733{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\uk-UA\bootmgr.exe.muiMD5=EBB19116422AF3F3659732142683CD3E,SHA256=821B41B81A6DFB33AED7A93AB4EFCF306C8D5620B774D554191CCED0F28DE7AB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.728{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\tr-TR\memtest.exe.muiMD5=F7423056834DFBA16D7E9A5BA082DDE3,SHA256=00BB296B66B7A3A52C575B1D25CCCB5790103433DD9D89C91CB6699C00AFA159,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.724{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\tr-TR\bootmgr.exe.muiMD5=C3486BEA6255A2259566D18FAB881F87,SHA256=F46874A8F49011F33300699B9BE9AC926553C63FE56F1C09E41EC4837D3928F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.702{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sv-SE\memtest.exe.muiMD5=1F3EA7751F2A4123BA6F7CFA64FF4DCE,SHA256=754D186601BC4ED00C745E52E06F45EF26AC7514646CF3A9BF813FC51078C5A9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.691{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sv-SE\bootmgr.exe.muiMD5=0746A51490CA7AE263F35CA7F728D0CB,SHA256=EE2FA641B23B48CAA21D61A2453E5534D523587E98C0F211ABBA8E03A0C8E160,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.685{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sr-Latn-RS\bootmgr.exe.muiMD5=569B82CA4F9AE60DA303BA8A9F43E351,SHA256=0C0543ABCC2A0A50E5652B037B831EC5511760ED065A68373607D187006C7FE0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.680{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sr-Latn-CS\memtest.exe.muiMD5=B01B87BFE855222D01B6E4BAC5B8C6AE,SHA256=CFB107E807F7947E4016AE16EF47EB6CAFA4FDD46BA051F32A1E84C3E59C36E0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sr-Latn-CS\bootmgr.exe.muiMD5=27B0E194440DDD186E0BEDF7E74D59CD,SHA256=DC1022098E1C14D904A9A0E8E15F4F616AE893A9DFAD4449D4F278D2C8DB23CE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.664{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sl-SI\bootmgr.exe.muiMD5=0FF5C08725AB2C11F153FD88D1E44B38,SHA256=EB82B8AAEF152FC7681BD7ADF69402DC30153664A892F5ADE477BE770606C0B9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.659{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\sk-SK\bootmgr.exe.muiMD5=5DF1CFC7C95AA56E3331DC603E0CBC57,SHA256=CFF6224BBB0BD56AD15957C3AAA4B74413E11F33AF59546DFF04F698F75BFDCD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.653{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ru-RU\memtest.exe.muiMD5=96E2F98F9D44CD01A9A66E1F5129F4E4,SHA256=D61916CCBA0230B58C1DFAA2115EB6630668D1A307CA27A3BC667E4B4082C2AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.646{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ru-RU\bootmgr.exe.muiMD5=F7B45D50E99E0828E1CF45E53A997336,SHA256=73BDA32F981A99017144067ED372A8EB4B449F64AF695C361D8716D31E31EEB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.643{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ro-RO\bootmgr.exe.muiMD5=6440843174CC8F6F5CE02D0745E1643C,SHA256=BA55831D4FB3E7860733F1961CDD5579F64D62F587D2F6260345C9EA951D8107,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.638{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\qps-ploc\memtest.exe.muiMD5=E450A5C2BEC69C4AB3D20B7477F90413,SHA256=41BB036B52C7F264BDDB7DFD91A0FB33DB542BC45345780035E2DFEBC02C8DAE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.634{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\qps-ploc\bootmgr.exe.muiMD5=B768543ED0E53ABA32AB27E8CFFD1F1B,SHA256=29264F4FBCF426EED4B6055032797622388738E91E0A7E2EBDE2B3C71053127A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pt-PT\memtest.exe.muiMD5=870BE7BC7683BD58B3CDEFDF49E287DF,SHA256=A7CD1342DC7A91B0D197FC483E3D47E30AEAAD11448BCDEE1D7EAC56F8E041E4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.625{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pt-PT\bootmgr.exe.muiMD5=8C870BDE9A44DB31470E7F0F449863BA,SHA256=8C5DA51BD5621B4FEBB789AC4BFA2498182EB27AC170C7FF1905C2E6995D8F17,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.620{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pt-BR\memtest.exe.muiMD5=F0EC515C90DCE7D7085196530CF13C88,SHA256=BD13EF13DFE604152AB7FE68C190080104BECE7FC3AFAAFC17BE0492EF0CC701,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.617{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pt-BR\bootmgr.exe.muiMD5=967DDF316202905896E9C4573BC86C9A,SHA256=FB7F368AB5AD6A01D6FA3D3E6A8A76E97D61EDB85C241E802A7C72018A7824D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pl-PL\memtest.exe.muiMD5=B025EFC1705A557CD5D0D9A9A9E59326,SHA256=0CEA795AD25BC51B0DD89B3AE360D347BB8CA03638BFB6514F19462F28E8BA6E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.605{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\pl-PL\bootmgr.exe.muiMD5=4F1CC574924504C77EB947F160A6E319,SHA256=67A656EBDD1C39248D0AB80E75038A4E88F440E9A9192D35656269C4786937B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\nl-NL\memtest.exe.muiMD5=44D6751A5195D1FF757CC66DE46364BE,SHA256=05AEB968B3922604353AB65C5FB2D614FC8A32A1481A27C246B613693CB11CA6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.599{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\nl-NL\bootmgr.exe.muiMD5=E703FF7DF12FE810F4E429C402F4728A,SHA256=AB626EFD6D9889584FF024AC79A74646BF42D9EDDB7BEFF022386EB70D0F744E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.594{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\nb-NO\memtest.exe.muiMD5=6E14E76D1DE4FFE4A5F3C8B9DF9F98AC,SHA256=03894590BA994F1144EA56D12ABEDC62710D2A35FF05AF726C654F89C9FD03D2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.590{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\nb-NO\bootmgr.exe.muiMD5=3FB556752945556A36CAEE0327834B87,SHA256=87F85E8AF80D292B1202A4F101145D259650A1D1CDE06F24468056A7666AD068,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.584{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\memtest.exeMD5=7ECE8D119153A829CA1B7627B6DB9A9F,SHA256=6C8C6BB0227B061E42C4F802F5A41E56158C5887AC56DABF2507F63770FC70AE,IMPHASH=00000000000000000000000000000000truetrue 11241100x8000000000000000258737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:18.568{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7ECE8D119153A829CA1B7627B6DB9A9F6C8C6BB0227B061E42C4F802F5A41E56158C5887AC56DABF2507F63770FC70AE00000000000000000000000000000000.exe2023-02-01 10:53:18.568 23542300x8000000000000000258736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.424{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\lv-LV\bootmgr.exe.muiMD5=22B327EFFE3BF679DE6646B23AC95E0B,SHA256=080D75D4345DC9638862FDF5DB5BCB95AFC7BB7D623B9748F8BD7CD637238C76,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.418{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\lt-LT\bootmgr.exe.muiMD5=CDF22D4FBBD98CE551256B683F4408EF,SHA256=784C00FAEDCDD9D88500BDE05BAB148574498EA24CF1F088C380A9D3CF419599,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.414{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ko-KR\memtest.exe.muiMD5=42BBAFA477CBC0BB79C6EC1A64ACB537,SHA256=199928E0298AB0F91D87CE04807F362C577100A65CACC2338A3341C4D8B328F5,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.411{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ko-KR\bootmgr.exe.muiMD5=6A0FB63D2BF39A6699905E583AB66692,SHA256=32C5543E237BFC4057C24B2B96DF2C612656C7F6E0D4B01E47523C127328397C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.407{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ja-JP\memtest.exe.muiMD5=96EA8F9AA07D9955C1C056E6F37FCFAA,SHA256=315E77381AC96D5BF8AB63A971416497ECCBAC46A9C5AA25836FAEB13CE7D51F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.401{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\ja-JP\bootmgr.exe.muiMD5=EC10B8DAC5A3C902EF746317CDB02877,SHA256=D4F6D17087BDFE9ABE31F8F3664066E698411191DD00A65085C764DE7FC24DD4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.396{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\it-IT\memtest.exe.muiMD5=5F141690CEA4E0BCC9C65300E0B9CCBA,SHA256=9C1793B9C7208738084218847F8CE254C0FB710E739AF3C80EDEF7EA978ADF7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.392{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\it-IT\bootmgr.exe.muiMD5=F5912925F1407BC1114070574A23CC71,SHA256=DB350F71D8E501C6346E1D6A927ECFF30C705DB9A9B25CE615A254378424589D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.388{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\hu-HU\memtest.exe.muiMD5=A42BEE953FD94AF8C51ED44CE3D57EC8,SHA256=454E29FE5CEAD6535BBD7F174556564AFC3D51F3ED2CE7288C43EF05E175BE8F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.384{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\hu-HU\bootmgr.exe.muiMD5=FDBF4F56DA23E478FF2879364174AE9A,SHA256=69B47B636757723876CD6A7AAD7087418A7E4F579DBA0C04A61B64E607658FDD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.379{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\hr-HR\bootmgr.exe.muiMD5=D5A77C170C53B0C1082279B7D4BBC429,SHA256=15E4D14769AF1D8E9198FB4C2B665712E24B93F1A4F1B055982477E6200ACBD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.371{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\fr-FR\memtest.exe.muiMD5=30FD351EDAD2C75A09EFDC709024B546,SHA256=D7716BF602EE5EED5B10EB8BD425C54501EF592BB67DE73CE365BC04882BD4AE,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.366{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.364{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\fr-FR\bootmgr.exe.muiMD5=D00DA3185D744ED9D1FCB27365C0BD31,SHA256=7CA4EBD1942EEB5DAA6162F796F10452CEB4FCB98A06E221CA48F122AEF827F2,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.362{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.359{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\fr-CA\bootmgr.exe.muiMD5=EC3805284407DB7458FCAB93DD300F67,SHA256=D86CA5C93D718C8C890059BE1698710F1C789CA0BFEDD2D196B1DD5F5C74F1DA,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.355{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.353{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\fi-FI\memtest.exe.muiMD5=6E24690FFFFE899A4FD2E8EF9DBED0C0,SHA256=D41DD8B729B7F907F2CECBA5B7BC7265A89989597244AB9F7F22B6404A1034B6,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.351{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.348{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\fi-FI\bootmgr.exe.muiMD5=9EFE5DE55AD0F59338BE1F27575D2476,SHA256=826D3F8AE2FAC0B76547BEFD3F9F093D151E759BF0566BCF54F0E3016A5F495F,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.346{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.336{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\et-EE\bootmgr.exe.muiMD5=65E204BC7722478B428144DBE72BBB58,SHA256=B6BD0CE422CE2F93BE7F45EFD8FF8E176C0EDC60B6A242C9A8D5CF197E7ADA07,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.328{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\es-MX\bootmgr.exe.muiMD5=84724A103151CBC868B8D01352736592,SHA256=810B4BDEAF2C674CBCB52F40E63E831C38CB00EF0BCA4D1D7CF0CFAE6BC340F2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.322{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\es-ES\memtest.exe.muiMD5=0E583C0E9A95A01894A20C2CF3F0CE79,SHA256=294E91BC453970BC4D4B7EBCC30B8934FBAE77D71496AB2FA4973189F69B00F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.317{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\es-ES\bootmgr.exe.muiMD5=7B4878C5C82F2944A0B00AB6713EC278,SHA256=6A562EF27DBD93119FA29C2FDD2596C8C1629C5BAEBF3AB51C6DAD64AAFCEB7A,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.316{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.309{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\en-US\memtest.exe.muiMD5=5FFD4B615210F2283B3B6F4CE4564E24,SHA256=07CA2BD83D07F3C933D1C95C94D1713B51B0ADEC0FBEA907FD629D793B121BD8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.303{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316025230F06715B474E292F1D9141C7,SHA256=1579FEF2823BA12E9B84B687BA1D784135304995859716A43BA4C6F802236C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.302{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\en-GB\bootmgr.exe.muiMD5=2280664D3AC0F03B7FB1B1E2A299944C,SHA256=5E5C21A986BD869D1FB04884B17CE343808D06D7E05B5E7D86B1E7D07847F1B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.297{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\el-GR\memtest.exe.muiMD5=07DF860CFCA3BC3787B17FB550084EFA,SHA256=751DB76BC12844E9E47F0FFAADB637F650CD60BCA107111D0F7FDA5D113A50A4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.292{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\el-GR\bootmgr.exe.muiMD5=A19440F4F6BCC3443595516F21F7CD45,SHA256=B612C0A9FFB855DBBB1634516B7A9FA904A4025205464CFB6D08D2071F1CF0C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.287{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\de-DE\memtest.exe.muiMD5=88886393879E9215B8C44EFC0E7314F3,SHA256=35B6C19AD5913323B0519B3F3E01148C8D9A51F0D42FEDA382144FDDE36EA020,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.284{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\de-DE\bootmgr.exe.muiMD5=36831F21F333617200140034709A7F68,SHA256=5DCC3888BFADC13512376827E96981CC3955D189A2D3A76C2AE2D2B6229B4FB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.279{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\da-DK\memtest.exe.muiMD5=2B51D140AF511C4E26D457BE1BD2BF1F,SHA256=67D705CE83AAB4A5E68C0BD19941DBA830D8E250D19A66E49334AC964BBA0F11,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.276{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\da-DK\bootmgr.exe.muiMD5=DA481B1E6AFB661B54D3142CA94F5A29,SHA256=CB05E49B783D5859BBCB3DBBA29541521B1B051560B3CABE62933BC9054EBC73,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.271{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\cs-CZ\memtest.exe.muiMD5=1F7E9B25F227EE5E5C0E9631157BBB72,SHA256=E167D60779A89C139CCE3730852591E5D7FFBB07758F9259F122CB10738A3BAC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.268{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\cs-CZ\bootmgr.exe.muiMD5=AF445FE8DBD812CC94E2E7D3299417A0,SHA256=10FE716EBF2816D506DA022917302A04DB24704F2E978CF7A514234F94DFC8F2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.262{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\bootvhd.dllMD5=6A7D5B8A7A07E4E5CD76D3CC8480619B,SHA256=261C49086A3890E967FCF6255488E1FF671392677791A6FFFB3644B8A1F12F33,IMPHASH=6451EB564AC0D794F5F11EA4833D63A5truetrue 11241100x8000000000000000258698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:18.262{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6A7D5B8A7A07E4E5CD76D3CC8480619B261C49086A3890E967FCF6255488E1FF671392677791A6FFFB3644B8A1F12F336451EB564AC0D794F5F11EA4833D63A5.dll2023-02-01 10:53:18.262 23542300x8000000000000000258697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.258{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\bg-BG\bootmgr.exe.muiMD5=FDBD6B4331966FC6EC21072975A4D2BF,SHA256=5F6D3D70B3962DF4E561FC7F9FBFD28425842D33F151911689C7F89E70F94AFD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.252{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Resources\en-US\bootres.dll.muiMD5=7A512A988973A2C11BCEA9B30B4E0035,SHA256=E0AA58ABBD98869731954C27899EB31AA8130F1FF30211990105414A3DAC1C70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.247{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Resources\bootres.dllMD5=5151F06ADBEF428CEF72D2AF4D6A3A9B,SHA256=9EF28441D6031EF20F41B4C7EA8CCD99BA44B8F60DFCC593C25AE8F4BC837716,IMPHASH=00000000000000000000000000000000truetrue 11241100x8000000000000000258694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:18.247{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5151F06ADBEF428CEF72D2AF4D6A3A9B9EF28441D6031EF20F41B4C7EA8CCD99BA44B8F60DFCC593C25AE8F4BC83771600000000000000000000000000000000.dll2023-02-01 10:53:18.247 23542300x8000000000000000258693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.243{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\wgl4_boot.ttfMD5=A83FD21C87F62FB3C32211F33A8AC6BF,SHA256=0A2719F0E43FDD74F66A5FB190566E947DD8132E51836B51EADC914DA8394A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.239{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\segoen_slboot.ttfMD5=A5E4C4AF3DDED84A546C8DEE9A7222A2,SHA256=40D99A2455149C4EAED058FCD8DD49DDEA6048A3B27E891E7A157749712D30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.235{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\segoe_slboot.ttfMD5=170B8C73A77FDC0A46D2C2B36F1B11B3,SHA256=FA67C72653C4DA22443BCF04C5C8AD79D96D052A9E479BFF6B759CFFD4D1AEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.231{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\segmono_boot.ttfMD5=DB5FD21B004664019A9A09B85F451028,SHA256=D7539230A0A55D58FF490513AF32664438075B467ECF415E42E0EB6004FD4DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.227{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\msyhn_boot.ttfMD5=00930511ED935B679E2E07421F7DF35A,SHA256=198DF5203824E171F9999885F62D4A89ACAF138A9CAC58F5D9E20D6B46D74ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.217{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\msyh_boot.ttfMD5=759A92FFEAF7A908B2A420AF3D825B53,SHA256=601B9FF0BA8B4E31114D7968572DBF8AF641F24ECE9B724D6AA969390E84E14E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.213{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\msjhn_boot.ttfMD5=ED85B56984A7B2E4B5DDD2E9BD4042E1,SHA256=2096FC123087671BF4112DD4238F7A88B1A259F518FDA211F4D142D553DE7320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.206{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\msjh_boot.ttfMD5=6E2C99EBADE9C725E0129F22BE060DD1,SHA256=0C9B4E308CE39EA8BC89DBD7FDB3952BFD555300B0F61878E03A153CB593AC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.199{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\meiryon_boot.ttfMD5=69881EC63F97542773BAE61975C847F2,SHA256=1CE0D5D45970E578E60F06342FBD1E7D7F67F5DE92CA84BB830ED4A29BC69E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.193{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\meiryo_boot.ttfMD5=953BD8C428503AE921D19AF3BB250BF3,SHA256=9527CA6F845B0AFF527E418F9CB1CD829FFFC1A4B6340BB5877E09686FEEB2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.186{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\malgunn_boot.ttfMD5=E758C55DB2DE12786D6E9F0FF14FA6FB,SHA256=9DF30CB674790ADB9E5BF038CDF7F3C6B9EAF69F00FEA53A9951A395345E282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.180{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\malgun_boot.ttfMD5=26363676F0C6BC09274BB0AC9D778F3C,SHA256=F79055CBEFC659000EA26E8A068DFF1AD990B39E08E25A923C96135508B59129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.166{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\kor_boot.ttfMD5=CB8BF6A1DA8459E4B6FC9A44770F6D4B,SHA256=8227EB6F0548436CCFE099AD028D0D53B0999C9A05C58C43902D6A100F5A7658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.122{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\jpn_boot.ttfMD5=3591414D4D16FF09C43D39649A1D06FF,SHA256=8D60B3BE8410C5C2B24D811BA9C240F48AB049439FF12B799E840B43BC9873E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.035{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Boot\Fonts\cht_boot.ttfMD5=BB32CE86E6A6860877AD548284FA1553,SHA256=A513662CB5467BBB6403DA3325AC80C156D230C91A56CCDEA3BA512F7E541CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:18.623{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6D46301471BD4028B4F0D5F3A06818,SHA256=BDD47733116359D6B83287314F62857FFD7FD33C9F0124E6E0B7DE8042357B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:17.729{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000111314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:19.669{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06542A5577716EB128A7642FC7A9EEE,SHA256=11D97A0DFA22A4BFC99052C89C673F24CD218849F5D80EC66754DE0E4022FED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.909{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.906{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.902{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.901{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.897{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.895{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.691{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE0E375DAA2DAC0C058AF02508C8C3E,SHA256=806DC51AEE02CF042F1FE3368917BA43D69884F4878B6CED143D34BF0D6372C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.391{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:20.389{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000111319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.779{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BCFAC59AB613A770932DE336B87DC5,SHA256=4FE0E72281C7E1B3C25A9B69CCDA598FC40D27BB984CF9017B4257ABA4BC3B94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.340{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.340{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.340{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628676C:\Windows\system32\lsass.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.326{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-2100-00000000BC02}876C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000259055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.971{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.EC2Messaging.dllMD5=F6D3D35CE411413060133474DD3DBD58,SHA256=F659A9F96CE2C4F9AF06397474C51B39C91A903C009528F5A6FD2599BEFAF304,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.971{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F6D3D35CE411413060133474DD3DBD58F659A9F96CE2C4F9AF06397474C51B39C91A903C009528F5A6FD2599BEFAF304DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.971 354300x8000000000000000259053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:18.992{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000259052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.957{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.Core.dllMD5=BD68EF38A09148458810D602E6324D6E,SHA256=7984FD8A05C3948FED05E1E4CF5D7FC8F013A1B2234B9EF6D1479B3F04CEFF5D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.957{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BD68EF38A09148458810D602E6324D6E7984FD8A05C3948FED05E1E4CF5D7FC8F013A1B2234B9EF6D1479B3F04CEFF5DDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.957 23542300x8000000000000000259050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.CloudWatchLogs.dllMD5=0073E1FCD0024699DA8B9C6765D46A1D,SHA256=B519E1E8F777D4778632F1DCBE8F0FE2E698CCF77BB5E38A07315960784F009B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.912{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0073E1FCD0024699DA8B9C6765D46A1DB519E1E8F777D4778632F1DCBE8F0FE2E698CCF77BB5E38A07315960784F009BDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.912 23542300x8000000000000000259048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.907{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.CloudWatch.dllMD5=426C784F99A6DB17463B925DBAB57F04,SHA256=94064A0B0C42E37065F9C20132E6B2C0818181DBBB0C47DEB67657C6822C90A3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.907{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\426C784F99A6DB17463B925DBAB57F0494064A0B0C42E37065F9C20132E6B2C0818181DBBB0C47DEB67657C6822C90A3DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.907 23542300x8000000000000000259046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.892{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.dllMD5=42864BE98646BEB5ADAA416DB564026E,SHA256=E51A3DBCE44808BEEA4F65CC96C067F7ABDD6E3DDE5E3868125A0B119FB4957B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.892{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\42864BE98646BEB5ADAA416DB564026EE51A3DBCE44808BEEA4F65CC96C067F7ABDD6E3DDE5E3868125A0B119FB4957BDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.892 23542300x8000000000000000259044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.849{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.DataFlowParser.dllMD5=F487149C43845C2F029BA61E8E817495,SHA256=626662B9EC85892FE9D5DADF53EB0703A7911DCBA2F1234782949246A2178F8F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.849{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F487149C43845C2F029BA61E8E817495626662B9EC85892FE9D5DADF53EB0703A7911DCBA2F1234782949246A2178F8FDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.848 23542300x8000000000000000259042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.846{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.Configuration.dllMD5=88509E4D93A6E18643483A8BD2482B3E,SHA256=98E5FF19DEA1FE1B9E135E90EC8357926D8BED65F6C58FA3BE038E418760CCA8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.846{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\88509E4D93A6E18643483A8BD2482B3E98E5FF19DEA1FE1B9E135E90EC8357926D8BED65F6C58FA3BE038E418760CCA8DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:21.846 23542300x8000000000000000259040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.844{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.log4net.configMD5=B916A89066F3188F67D8E6AED9CEE208,SHA256=B1844067F6ACD33FF3C0067BFD5A704CB7725CD761842573682B5CB66B55F2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.842{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.exe.configMD5=B77DD5C2D951A1D71247C99962984EFB,SHA256=8683D6E0A6EFE4DF76BBE2A64182D9F2781BD3B21A9CD8526B429B211292052A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.841{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.exeMD5=1F7355D81FA0A76A6953412F7C96D0C6,SHA256=C0DD79EFFACE28196713BE788F29B85A81FAAF1FEFD5A150563BCFE7EA49E582,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 11241100x8000000000000000259037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.840{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1F7355D81FA0A76A6953412F7C96D0C6C0DD79EFFACE28196713BE788F29B85A81FAAF1FEFD5A150563BCFE7EA49E582F34D5F2D4577ED6D9CEEC516C1F5A744.exe2023-02-01 10:53:21.840 23542300x8000000000000000259036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.828{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\SessionManagerShell\winpty.dllMD5=81AB0A63E7D0D1C22FEDFF9D44F5DC5B,SHA256=00E4870A69D72E2D779DCA8871FC6C8FF1AB1E411F15D77B307D8A526A3C0F22,IMPHASH=7C6B9CFE8C0B0ED85BA6CD7589BC988Atruetrue 11241100x8000000000000000259035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.828{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\81AB0A63E7D0D1C22FEDFF9D44F5DC5B00E4870A69D72E2D779DCA8871FC6C8FF1AB1E411F15D77B307D8A526A3C0F227C6B9CFE8C0B0ED85BA6CD7589BC988A.dll2023-02-01 10:53:21.828 23542300x8000000000000000259034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.816{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\SessionManagerShell\winpty-agent.exeMD5=4726115317D7B5750B9F82DE06356887,SHA256=2C4E65E18115FC0672E2B2E017073CC01E26735E2C93FC291C6875EBE19431B3,IMPHASH=C5C2F7AF66B045BC3972B97B804DC21Btruetrue 11241100x8000000000000000259033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.816{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\4726115317D7B5750B9F82DE063568872C4E65E18115FC0672E2B2E017073CC01E26735E2C93FC291C6875EBE19431B3C5C2F7AF66B045BC3972B97B804DC21B.exe2023-02-01 10:53:21.816 23542300x8000000000000000259032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.805{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageintelsriovdriver_26_7IDS2W4AKQPGODCPZZL3HWR56GZXPIISLQEYGQ7G7H6NHLBKDCWQ====_21.1.0.jsonMD5=B0E2C78A343EDDD5BDE9768AB8639966,SHA256=84845660C057248027B6FFEAC6547DD34671755682AAB2E8E7639FDE91EC645F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.803{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsvsscomponents_26_AGRGDRLBIAAGXDGWI24ZWX3HTME43RT6JVD7NBSJDMRR2XRFCBAA====_1.0.jsonMD5=3DBD7778DF5D97915329CD5DBD1FDF2C,SHA256=F7B45872E2A0B96CE00085116E47D96E023CD9B26ED6CEE4A0DB7F7F6D143B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.802{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.4.2.jsonMD5=566D59B429D0EC1B864247CDAF0D48FE,SHA256=50B1D5C61B15E112F44697BBE02ACB56734F754292D882723D5DA9C7587F4863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.800{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.4.1.jsonMD5=24489E111A2615BC7CA5385459453014,SHA256=A9ACE229FD66698E63E078CE2648FA4C868D1EF75ACA621CB3E4C724DE3430EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.799{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.4.0.jsonMD5=6537F6556F83CF2BE53EF496FFA0C68E,SHA256=D7524DD87F16890E12FDAF23FE27C9F9A57424A42F25298C9251DF3614B28B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.797{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.3.4.jsonMD5=010E6CC9368ABD3781B0EE12F1963387,SHA256=0839447BD585F27170546DAB782EF69C13FB9BFF68C3BE9079745BD37AA20FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.796{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.2.3.jsonMD5=168220EFA26B82C7F8850C9F6A9C99A1,SHA256=B0665080311DF9E5FB8B34E82F2D9169C7FAB1F32EBE2425DF64D7CA65533B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.794{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_8.2.1.jsonMD5=73EFD369BB50DC0FA84397096F56011B,SHA256=4EBCF6DE144C101851559C6F99AD6BCE95B62433CE4F2AD34B3E22EC7DC8A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.793{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawspvdriver_21_66XA4XBKMUL56B6HYCFMNHV3CWSN44PIP4NHKIOMCDJMKGPGJE3A====_7.4.6.jsonMD5=70EF98B7C912F9DE2181A5BD470D4032,SHA256=7596B72B59AEB866E45AB7AC1E1464A00BB05E3150A2053E9199C0248B4137F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.791{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsnvme_1D_C7QZEL2SLK4UJHRRCMJ3JMZZ3XHGKPJ7ZX253EYP2ROQPGQOHEFQ====_1.4.6.jsonMD5=FEF0D881982504B08B664950AF73B431,SHA256=018F8C8466033CFE4BABB896467F3CF71778C92AC98FECE7D5057837D79B942B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.789{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsnvme_1D_C7QZEL2SLK4UJHRRCMJ3JMZZ3XHGKPJ7ZX253EYP2ROQPGQOHEFQ====_1.2.0.jsonMD5=E0F66663FE9BA15BA8E9B86B9AE8083C,SHA256=3ACF66FA6DE900EFE37B160FD36D86EAB9E088F8F58D86CDCD47E3181C7302C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.787{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsnvme_1D_C7QZEL2SLK4UJHRRCMJ3JMZZ3XHGKPJ7ZX253EYP2ROQPGQOHEFQ====_1.0.2.jsonMD5=0D6C2192CFB968D1DD8C307285E2ADDA,SHA256=618997A7E89C60FC12472FD926C3729792345907820D505BB55FEA4C802A392A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.785{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsenanetworkdriver_29_B3WXVOFENTA4CZV4CSDDTZ5YUQX3LPG6WX6JWUXHRHKICJHCTA2Q====_1.2.3.jsonMD5=2041C31BCA9C4CB747CF264786157497,SHA256=74B8A1BB194D1F0A381D3CE2793C170EFEBB1BF761639AE07A98F02FB2B9BBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.784{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsenanetworkdriver_29_B3WXVOFENTA4CZV4CSDDTZ5YUQX3LPG6WX6JWUXHRHKICJHCTA2Q====_1.2.3.0.jsonMD5=3DD144FFED9CF872991378D9245CEB52,SHA256=D63E4E8B09EA345827CCEB3F065B4E3266E7CA5992273C09F2C93BCB17B690F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.783{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsenanetworkdriver_29_B3WXVOFENTA4CZV4CSDDTZ5YUQX3LPG6WX6JWUXHRHKICJHCTA2Q====_1.0.8.jsonMD5=B6BDA176F221629A633188204BC8ED08,SHA256=EC342EC84952069BD5EA28E40C80435E347802139EB839DFBB8E514143AA97B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.781{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsagentdriver_24_APYMBCWZF2WULM4M727UNVFIJY6DTHUIJYVX7Z7OZUKJTKGVNWWA====_1.0.1.jsonMD5=A7B735D4593B31EA0185FF715952B6B6,SHA256=BE213C35F24595903B11C30BFF8494FED185F24F078208B874C19B2D1A44F29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.779{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Manifests\_arnawsssmpackageawsagentdriver_24_APYMBCWZF2WULM4M727UNVFIJY6DTHUIJYVX7Z7OZUKJTKGVNWWA====_1.0.0.jsonMD5=B550512E66BD2E42CA5F104AB02BC09A,SHA256=BCC04CFF487E86C3D5C628D0DF6E2AB5B8F6B7F3C879ED2B61FAF01FE41AE0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.773{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\LICENSEMD5=3B83EF96387F14655FC854DDC3C6BD57,SHA256=CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.758{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\Hibernate\LICENSE.txtMD5=175792518E4AC015AB6696D16C4F607E,SHA256=58D1E17FFE5109A7AE296CAAFCADFDBE6A7D176F0BC4AB01E12A689B0499D8BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.758{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\175792518E4AC015AB6696D16C4F607E58D1E17FFE5109A7AE296CAAFCADFDBE6A7D176F0BC4AB01E12A689B0499D8BD00000000000000000000000000000000.txt2023-02-01 10:53:21.758 23542300x8000000000000000259012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.756{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\Hibernate\EC2HibernateAgent.ps1MD5=5BE64E17926A062EB2DDD67E205F1EB4,SHA256=4A75ACC290E13416E24498BE3376D19AEE109E2B0A0E01F19AD31B24F0628336,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.756{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5BE64E17926A062EB2DDD67E205F1EB44A75ACC290E13416E24498BE3376D19AEE109E2B0A0E01F19AD31B24F062833600000000000000000000000000000000.ps12023-02-01 10:53:21.755 23542300x8000000000000000259010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.753{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\Hibernate\EC2HibernateAgent.exeMD5=BAF2DC4F2419BFC0DEA2BC2609DA5F5B,SHA256=25C4F7BBC409CDEC1B144034C7E79F88AAE97C74E0ED72888F19817E47ACFBB5,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 11241100x8000000000000000259009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.753{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BAF2DC4F2419BFC0DEA2BC2609DA5F5B25C4F7BBC409CDEC1B144034C7E79F88AAE97C74E0ED72888F19817E47ACFBB5F34D5F2D4577ED6D9CEEC516C1F5A744.exe2023-02-01 10:53:21.753 23542300x8000000000000000259008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.714{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\readme.txtMD5=B57C8B97C0D018D14786E06EABE0734F,SHA256=78452B7A10FDD6B2131D3E98F3FFA533B415ED58A0EDD3F644D3EC8C98CEB23F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.714{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B57C8B97C0D018D14786E06EABE0734F78452B7A10FDD6B2131D3E98F3FFA533B415ED58A0EDD3F644D3EC8C98CEB23F00000000000000000000000000000000.txt2023-02-01 10:53:21.713 23542300x8000000000000000259006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.712{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\descript.ionMD5=EB7E322BDC62614E49DED60E0FB23845,SHA256=1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.711{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Uninstall.exeMD5=0C77E99DD91D1CD536B6DB9D1C70EA2A,SHA256=266BF84CC110ED4B34AEDF904B36B60E29DE0901978B0AA10C7E58CC072C2444,IMPHASH=8658E3927099DE6E638B64426FA1B2DBtruetrue 11241100x8000000000000000259004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.711{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0C77E99DD91D1CD536B6DB9D1C70EA2A266BF84CC110ED4B34AEDF904B36B60E29DE0901978B0AA10C7E58CC072C24448658E3927099DE6E638B64426FA1B2DB.exe2023-02-01 10:53:21.711 23542300x8000000000000000259003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.709{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\License.txtMD5=FCB4F2486EABA2743C10991CA7BA2C85,SHA256=C3DD6EF20F70F046CFF5270C09CBB48C818BC0B2DD34A00181FD9BEDCE35F1BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.709{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FCB4F2486EABA2743C10991CA7BA2C85C3DD6EF20F70F046CFF5270C09CBB48C818BC0B2DD34A00181FD9BEDCE35F1BF00000000000000000000000000000000.txt2023-02-01 10:53:21.709 23542300x8000000000000000259001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.708{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\zh-tw.txtMD5=D51B52A3B0A774DA3DD7CDC1B2855FAE,SHA256=09E26564BC799ABA1C3654B3DB705A36F7D70D18A1A5ECB547F35CC6049063B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.708{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\D51B52A3B0A774DA3DD7CDC1B2855FAE09E26564BC799ABA1C3654B3DB705A36F7D70D18A1A5ECB547F35CC6049063B700000000000000000000000000000000.txt2023-02-01 10:53:21.708 23542300x8000000000000000258999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.707{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\zh-cn.txtMD5=49DE441A26F05EB42B53DF11EA6251F8,SHA256=BB87EFBCE06D75ABE71032857CDEEA8B16306A07E77A7E4EF1ECE6686F5BF4F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.706{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\49DE441A26F05EB42B53DF11EA6251F8BB87EFBCE06D75ABE71032857CDEEA8B16306A07E77A7E4EF1ECE6686F5BF4F600000000000000000000000000000000.txt2023-02-01 10:53:21.706 23542300x8000000000000000258997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.705{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\yo.txtMD5=698AF9267C08D61B712417491DA6A3BB,SHA256=FFAB6B91FFD2D3C2B1F7F431B47F7D28AA17A11587B876565613BB26C173402B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.704{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\698AF9267C08D61B712417491DA6A3BBFFAB6B91FFD2D3C2B1F7F431B47F7D28AA17A11587B876565613BB26C173402B00000000000000000000000000000000.txt2023-02-01 10:53:21.704 23542300x8000000000000000258995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.702{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\vi.txtMD5=044531D134ACA40D5E57CC0AB96B4940,SHA256=3A6DCA3E1B5C8190C81FC859B5BE83EAF54EFDCAA148F4374D1225381083406F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.702{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\044531D134ACA40D5E57CC0AB96B49403A6DCA3E1B5C8190C81FC859B5BE83EAF54EFDCAA148F4374D1225381083406F00000000000000000000000000000000.txt2023-02-01 10:53:21.702 23542300x8000000000000000258993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.700{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\va.txtMD5=639741F687D4427C9D3B170B1CED41A9,SHA256=F43C31BD959A752EEFBB7C76ED918C4CACD50D43706121C55093D72A638FA7A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.700{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\639741F687D4427C9D3B170B1CED41A9F43C31BD959A752EEFBB7C76ED918C4CACD50D43706121C55093D72A638FA7A500000000000000000000000000000000.txt2023-02-01 10:53:21.700 23542300x8000000000000000258991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.699{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\uz.txtMD5=3035144EEA3A382E39541B218A5D813A,SHA256=A310044DBC86E2441F0D50BB7D7DADB9879359B0C6CEB1FAF413A0459E07045B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.699{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3035144EEA3A382E39541B218A5D813AA310044DBC86E2441F0D50BB7D7DADB9879359B0C6CEB1FAF413A0459E07045B00000000000000000000000000000000.txt2023-02-01 10:53:21.699 23542300x8000000000000000258989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.697{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\uz-cyrl.txtMD5=7AFEDBD6E9EF3A4A2A99BC1BCB133605,SHA256=2DD421A44AD779D961C951F01E7ABF4AC358C61CE26EA8311A0C902B4FC77CA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.697{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7AFEDBD6E9EF3A4A2A99BC1BCB1336052DD421A44AD779D961C951F01E7ABF4AC358C61CE26EA8311A0C902B4FC77CA300000000000000000000000000000000.txt2023-02-01 10:53:21.696 23542300x8000000000000000258987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.695{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\uk.txtMD5=669B4C6C93939C63C345E7391E8CECE0,SHA256=A495AF551D6FCC463A61AE4AA57FDFA8619CBB10DFB9BCE92A11D2BBF6410DFF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.695{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\669B4C6C93939C63C345E7391E8CECE0A495AF551D6FCC463A61AE4AA57FDFA8619CBB10DFB9BCE92A11D2BBF6410DFF00000000000000000000000000000000.txt2023-02-01 10:53:21.694 23542300x8000000000000000258985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.693{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ug.txtMD5=EF3E8D61D03E42A3B40D6F0B12535ADB,SHA256=9D0268D1EEB8DFDEBBB8EA1033C2B99CD667A244C9859085BE5D54C9E5CED369,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.693{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\EF3E8D61D03E42A3B40D6F0B12535ADB9D0268D1EEB8DFDEBBB8EA1033C2B99CD667A244C9859085BE5D54C9E5CED36900000000000000000000000000000000.txt2023-02-01 10:53:21.692 23542300x8000000000000000258983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.691{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\tt.txtMD5=6E299B81EDACF15FACE1271D032CC5A0,SHA256=18479D66E0C8B5144EA32CC9D6B58EB8748E80D2C3BDEC0DBD99BBC3AB42495D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.691{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6E299B81EDACF15FACE1271D032CC5A018479D66E0C8B5144EA32CC9D6B58EB8748E80D2C3BDEC0DBD99BBC3AB42495D00000000000000000000000000000000.txt2023-02-01 10:53:21.690 23542300x8000000000000000258981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.689{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\tr.txtMD5=C69BE29E4448A858180DAF367464D531,SHA256=4816929C4BB958CE8D64D14DF47F0B6A35DCF0E7EB88201EAA93AF541894E354,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.689{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\C69BE29E4448A858180DAF367464D5314816929C4BB958CE8D64D14DF47F0B6A35DCF0E7EB88201EAA93AF541894E35400000000000000000000000000000000.txt2023-02-01 10:53:21.688 23542300x8000000000000000258979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.687{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\tk.txtMD5=75C23D0431BC83CA17308F08D1173C1D,SHA256=75EFF9DE596459F3EBA755B5C4C8CE635AF2CECDBAE40749DF348C97A2E56EE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.687{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\75C23D0431BC83CA17308F08D1173C1D75EFF9DE596459F3EBA755B5C4C8CE635AF2CECDBAE40749DF348C97A2E56EE000000000000000000000000000000000.txt2023-02-01 10:53:21.687 23542300x8000000000000000258977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.685{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\th.txtMD5=8EE06A03DC18E5F8BC750CB6A78F6D9C,SHA256=01E7B965BD4B722003F74B4E4B30EF6A1BAEA67108816D1B9F8D6ADD39C7FA10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.685{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8EE06A03DC18E5F8BC750CB6A78F6D9C01E7B965BD4B722003F74B4E4B30EF6A1BAEA67108816D1B9F8D6ADD39C7FA1000000000000000000000000000000000.txt2023-02-01 10:53:21.685 23542300x8000000000000000258975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.683{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\tg.txtMD5=4A5529986613CDF743B3F7755F8F5CAE,SHA256=1CEDD8F699940FECACACBC5DF093BA70FB2099FAF9864376A3D990DA78B8E075,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.683{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\4A5529986613CDF743B3F7755F8F5CAE1CEDD8F699940FECACACBC5DF093BA70FB2099FAF9864376A3D990DA78B8E07500000000000000000000000000000000.txt2023-02-01 10:53:21.683 23542300x8000000000000000258973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.681{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ta.txtMD5=228CA6D7B8D850853233C4575A7EBF1F,SHA256=0A3B285566BBEB3F188B3C72BA21CBFC545EA05471EAB706E972C828DA5234E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.681{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\228CA6D7B8D850853233C4575A7EBF1F0A3B285566BBEB3F188B3C72BA21CBFC545EA05471EAB706E972C828DA5234E000000000000000000000000000000000.txt2023-02-01 10:53:21.681 23542300x8000000000000000258971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.679{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sw.txtMD5=EE27959AEF24CEF2EC07684CF420B2DD,SHA256=AAEB1631458E448B678579CE369FD0A6D66E0FB02B9218328C537EE38636C557,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.679{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\EE27959AEF24CEF2EC07684CF420B2DDAAEB1631458E448B678579CE369FD0A6D66E0FB02B9218328C537EE38636C55700000000000000000000000000000000.txt2023-02-01 10:53:21.679 23542300x8000000000000000258969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.677{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sv.txtMD5=6C9E8093D11110E7044E0967D1DCD714,SHA256=4EA68A967D6A20DB716D92D7F20E42B8E644F3ACF15C035C3E74AACCD04EA4F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.677{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6C9E8093D11110E7044E0967D1DCD7144EA68A967D6A20DB716D92D7F20E42B8E644F3ACF15C035C3E74AACCD04EA4F200000000000000000000000000000000.txt2023-02-01 10:53:21.676 23542300x8000000000000000258967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sr-spl.txtMD5=FD327F424C7E4F23D2C018DED334A1B5,SHA256=D5A250B45BD51267E2B0D78CF60E7F14113419565F9B95C2B1113963396570A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.675{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FD327F424C7E4F23D2C018DED334A1B5D5A250B45BD51267E2B0D78CF60E7F14113419565F9B95C2B1113963396570A500000000000000000000000000000000.txt2023-02-01 10:53:21.674 23542300x8000000000000000258965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.673{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sr-spc.txtMD5=FFD26304B9B5FAE8547703515E84460D,SHA256=283DD99EC8D13784B3D79C36766CDB16DAC0EDE0C1C09E8B1EFA64F5DC2C1A55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.672{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FFD26304B9B5FAE8547703515E84460D283DD99EC8D13784B3D79C36766CDB16DAC0EDE0C1C09E8B1EFA64F5DC2C1A5500000000000000000000000000000000.txt2023-02-01 10:53:21.672 23542300x8000000000000000258963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.670{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sq.txtMD5=F5C16D9111631A7280AE99C89D5BE4E3,SHA256=40A3FC08E4B2CA3D691C08B9382B2E9FA391F9123A0769052294D93BC2983734,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.670{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F5C16D9111631A7280AE99C89D5BE4E340A3FC08E4B2CA3D691C08B9382B2E9FA391F9123A0769052294D93BC298373400000000000000000000000000000000.txt2023-02-01 10:53:21.670 23542300x8000000000000000258961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.668{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sl.txtMD5=7004B98D09316E84156B91C54888C9D4,SHA256=548AA8422A228617B30FBD448D03C38C3A11D010051A24544CF8AE479314ACD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.668{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7004B98D09316E84156B91C54888C9D4548AA8422A228617B30FBD448D03C38C3A11D010051A24544CF8AE479314ACD800000000000000000000000000000000.txt2023-02-01 10:53:21.668 23542300x8000000000000000258959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.666{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sk.txtMD5=CA2B22D21945A478757A099EEAFDF9A9,SHA256=E571C0D87B50F4659099B4CA618057533C22578066E411C5CEB3DF8BE1E77CFF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.666{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\CA2B22D21945A478757A099EEAFDF9A9E571C0D87B50F4659099B4CA618057533C22578066E411C5CEB3DF8BE1E77CFF00000000000000000000000000000000.txt2023-02-01 10:53:21.665 23542300x8000000000000000258957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.664{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\si.txtMD5=779A10D00FB98C2F78CB4C21BEF9D766,SHA256=9497007919BD06FEF4F282CD67813F9BF1618333047DD1A6E03AE88E1BFC6E21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.664{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\779A10D00FB98C2F78CB4C21BEF9D7669497007919BD06FEF4F282CD67813F9BF1618333047DD1A6E03AE88E1BFC6E2100000000000000000000000000000000.txt2023-02-01 10:53:21.663 23542300x8000000000000000258955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.661{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\sa.txtMD5=9FE4DA297163A84FE9D0B0289B1AF077,SHA256=A44E8C328BF809890AA6CA883E2CB82B6C5207D9636E9A91253DA4CD893668C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.661{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\9FE4DA297163A84FE9D0B0289B1AF077A44E8C328BF809890AA6CA883E2CB82B6C5207D9636E9A91253DA4CD893668C800000000000000000000000000000000.txt2023-02-01 10:53:21.661 10341000x8000000000000000258953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.659{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.659{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.659{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ru.txtMD5=B89C8D9394D82461F46B1E74F09EB121,SHA256=00CF8E5CCA9D303382B8E146694370CDE781932977BF5862AD164434AA981875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.659{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000258949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.659{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B89C8D9394D82461F46B1E74F09EB12100CF8E5CCA9D303382B8E146694370CDE781932977BF5862AD164434AA98187500000000000000000000000000000000.txt2023-02-01 10:53:21.659 23542300x8000000000000000258948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.656{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ro.txtMD5=E3EE837F02A1F6E4B2213EB36C025284,SHA256=F168BB4D026782134CC6C261006B815850E753A27FB47C4F23EE617666459A66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.656{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\E3EE837F02A1F6E4B2213EB36C025284F168BB4D026782134CC6C261006B815850E753A27FB47C4F23EE617666459A6600000000000000000000000000000000.txt2023-02-01 10:53:21.656 23542300x8000000000000000258946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.654{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\pt.txtMD5=BD442B4770E2B3A675140FAC389FF36C,SHA256=BB9F2C895B7E1583E2699CF33C3CC160355BCF7FF120DDB619F9E656DBA34858,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.654{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BD442B4770E2B3A675140FAC389FF36CBB9F2C895B7E1583E2699CF33C3CC160355BCF7FF120DDB619F9E656DBA3485800000000000000000000000000000000.txt2023-02-01 10:53:21.654 23542300x8000000000000000258944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.652{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\pt-br.txtMD5=12C4F8399E18D3D8781646E5CCFEEAC1,SHA256=2A6DFFF90D09B43FA0200D94303934C0D737EC394BB2826F4C0EA6E31E560C35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.652{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\12C4F8399E18D3D8781646E5CCFEEAC12A6DFFF90D09B43FA0200D94303934C0D737EC394BB2826F4C0EA6E31E560C3500000000000000000000000000000000.txt2023-02-01 10:53:21.651 23542300x8000000000000000258942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.650{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ps.txtMD5=8F15262B3C1CF560B6352FAE4A5FDE21,SHA256=881B19DD1F74251E475855B8BDB53CE9AF1C3D2654A9331B069A3C273F723769,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.649{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8F15262B3C1CF560B6352FAE4A5FDE21881B19DD1F74251E475855B8BDB53CE9AF1C3D2654A9331B069A3C273F72376900000000000000000000000000000000.txt2023-02-01 10:53:21.649 23542300x8000000000000000258940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.647{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\pl.txtMD5=2CDF63E6B3F3A474465D0D88E5386718,SHA256=223C109301A7BBF01FC57C42609083B28E3FCEDEDC1F6E6DCDFDC8EC1580C51D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.647{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2CDF63E6B3F3A474465D0D88E5386718223C109301A7BBF01FC57C42609083B28E3FCEDEDC1F6E6DCDFDC8EC1580C51D00000000000000000000000000000000.txt2023-02-01 10:53:21.647 23542300x8000000000000000258938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.645{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\pa-in.txtMD5=6C48ED7DEBA6D3EFE6447BE948471810,SHA256=377F793EEDF3A935DDD6260D72AC3CADA9391AAFDF1F019D0BE72BE2B83A5DD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.645{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6C48ED7DEBA6D3EFE6447BE948471810377F793EEDF3A935DDD6260D72AC3CADA9391AAFDF1F019D0BE72BE2B83A5DD900000000000000000000000000000000.txt2023-02-01 10:53:21.644 23542300x8000000000000000258936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.643{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\nn.txtMD5=366B85BF575444D20944DB387F94564E,SHA256=E6922E17B7622361BC4D07E76874A919E3095B477ED008986B94F84A931CB22F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.642{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\366B85BF575444D20944DB387F94564EE6922E17B7622361BC4D07E76874A919E3095B477ED008986B94F84A931CB22F00000000000000000000000000000000.txt2023-02-01 10:53:21.642 10341000x8000000000000000258934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.641{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-4060-63DA-E700-00000000BB02}5868C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.641{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\nl.txtMD5=0AD65C845A9C056F283D36B5EB3E3924,SHA256=2539785410A62CAD5DE140A4275FCF301C69E7ED354917761D14CBD5EE0F4FD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.640{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0AD65C845A9C056F283D36B5EB3E39242539785410A62CAD5DE140A4275FCF301C69E7ED354917761D14CBD5EE0F4FD600000000000000000000000000000000.txt2023-02-01 10:53:21.640 23542300x8000000000000000258931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.637{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ne.txtMD5=C7ED0560A6145A417B1E92546ED6B0F1,SHA256=C129F67193295736E1C1FF4AC7245CBD737A07EA6073B43FD22AC767F3D56E23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.637{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\C7ED0560A6145A417B1E92546ED6B0F1C129F67193295736E1C1FF4AC7245CBD737A07EA6073B43FD22AC767F3D56E2300000000000000000000000000000000.txt2023-02-01 10:53:21.636 23542300x8000000000000000258929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.634{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\nb.txtMD5=7071CABD6FB28CEEDDEAC8B934879855,SHA256=694481B64E223F9BDD0936F89138EF735CEB92AC962D9DD21682109BA81B9697,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.634{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7071CABD6FB28CEEDDEAC8B934879855694481B64E223F9BDD0936F89138EF735CEB92AC962D9DD21682109BA81B969700000000000000000000000000000000.txt2023-02-01 10:53:21.634 23542300x8000000000000000258927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.633{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ms.txtMD5=91DA4B7D7CB3B5EB4304394E0C4CAAF2,SHA256=31AB339E581D0D13A43CADDE7C0D1E11CC03A6D8C92B91F8FE79963A6982DFF5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.632{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\91DA4B7D7CB3B5EB4304394E0C4CAAF231AB339E581D0D13A43CADDE7C0D1E11CC03A6D8C92B91F8FE79963A6982DFF500000000000000000000000000000000.txt2023-02-01 10:53:21.632 23542300x8000000000000000258925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.631{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\mr.txtMD5=2E9FC42DBD17E30F8DB8205FA2D18543,SHA256=08B8F7FF35DD4315133E04FD17B6FB896D63B9C87040A2CC68A83E81EA4EFD78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.630{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2E9FC42DBD17E30F8DB8205FA2D1854308B8F7FF35DD4315133E04FD17B6FB896D63B9C87040A2CC68A83E81EA4EFD7800000000000000000000000000000000.txt2023-02-01 10:53:21.630 23542300x8000000000000000258923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\mng2.txtMD5=A0D06DC2B7F53ACD8CDEBF7864080CD1,SHA256=47BFE43F3F5A88A0F366FB317A542CDC1E216F8C368DDC67252480EDE7D130F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.629{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\A0D06DC2B7F53ACD8CDEBF7864080CD147BFE43F3F5A88A0F366FB317A542CDC1E216F8C368DDC67252480EDE7D130F400000000000000000000000000000000.txt2023-02-01 10:53:21.628 23542300x8000000000000000258921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.626{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\mng.txtMD5=BA28C5C312D1A7827B40ED84F1F6F85B,SHA256=92898472C1DB5248B0556FB5BAFDA8090684249B561DE5EF2A84C10F2F4383CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.626{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BA28C5C312D1A7827B40ED84F1F6F85B92898472C1DB5248B0556FB5BAFDA8090684249B561DE5EF2A84C10F2F4383CA00000000000000000000000000000000.txt2023-02-01 10:53:21.626 23542300x8000000000000000258919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.622{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\mn.txtMD5=8756027ADF94B3CC3D6C42F0D3FB4AF0,SHA256=CF5245D17224F85011ED85062957DBFD936DD760A214980FC8F2EB69E6BA3CFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.622{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8756027ADF94B3CC3D6C42F0D3FB4AF0CF5245D17224F85011ED85062957DBFD936DD760A214980FC8F2EB69E6BA3CFC00000000000000000000000000000000.txt2023-02-01 10:53:21.622 23542300x8000000000000000258917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.620{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\mk.txtMD5=71D42ABE45803AC9C3DA5FCACF9CC59C,SHA256=78F5CB9345AB258CF745EAA90D44C7A7A73D3FE06EA182B1298A989135FFA11F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.620{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\71D42ABE45803AC9C3DA5FCACF9CC59C78F5CB9345AB258CF745EAA90D44C7A7A73D3FE06EA182B1298A989135FFA11F00000000000000000000000000000000.txt2023-02-01 10:53:21.620 23542300x8000000000000000258915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.618{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\lv.txtMD5=341CC2C7302AE8E91B286D9EFFF55693,SHA256=4DE5F75C5E05EC4FABFC2D266AE5B254F0C335C822523A0A7F7EDC60E35A5E0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.617{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\341CC2C7302AE8E91B286D9EFFF556934DE5F75C5E05EC4FABFC2D266AE5B254F0C335C822523A0A7F7EDC60E35A5E0D00000000000000000000000000000000.txt2023-02-01 10:53:21.616 23542300x8000000000000000258913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.615{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\lt.txtMD5=92D03523DD0E7E7B2862A6396ABAD455,SHA256=C5DA5B37BE32FA4CDD8B938D479C0327B84C9F83C948EB7E65F4DDC15A6BEEAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.614{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\92D03523DD0E7E7B2862A6396ABAD455C5DA5B37BE32FA4CDD8B938D479C0327B84C9F83C948EB7E65F4DDC15A6BEEAE00000000000000000000000000000000.txt2023-02-01 10:53:21.614 23542300x8000000000000000258911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.613{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\lij.txtMD5=372BC4A26B676C48CF8FEFAB3711B91D,SHA256=431CAE1BB77633FDF3CE339E97BC5D5D885779DECC01ED03583E381F097A2487,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.612{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\372BC4A26B676C48CF8FEFAB3711B91D431CAE1BB77633FDF3CE339E97BC5D5D885779DECC01ED03583E381F097A248700000000000000000000000000000000.txt2023-02-01 10:53:21.611 23542300x8000000000000000258909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.610{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ky.txtMD5=7D0420EE265C9122DC11EF964871E179,SHA256=4EF68FBD8AB002BBF4CD6D1C9FD6D87A5FDE048AFD2EF162B727259EB97D70D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.610{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7D0420EE265C9122DC11EF964871E1794EF68FBD8AB002BBF4CD6D1C9FD6D87A5FDE048AFD2EF162B727259EB97D70D200000000000000000000000000000000.txt2023-02-01 10:53:21.609 23542300x8000000000000000258907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.607{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ku.txtMD5=6E9A3E86335C08C15350BA91DF969269,SHA256=A00B21A87A58ADEFF29EA379160B6AE72DF5EC380F6E4C6A1BC352B6581FB4C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.607{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6E9A3E86335C08C15350BA91DF969269A00B21A87A58ADEFF29EA379160B6AE72DF5EC380F6E4C6A1BC352B6581FB4C400000000000000000000000000000000.txt2023-02-01 10:53:21.606 23542300x8000000000000000258905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.605{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ku-ckb.txtMD5=C90D029172A8533946EF7419BF383305,SHA256=19AF39960142B8599153A09EF4F03F944FC00999BEB9FE2399F5F8B236716EEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.604{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\C90D029172A8533946EF7419BF38330519AF39960142B8599153A09EF4F03F944FC00999BEB9FE2399F5F8B236716EEF00000000000000000000000000000000.txt2023-02-01 10:53:21.604 23542300x8000000000000000258903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ko.txtMD5=F1FB53A644720BB007B3422BBC6E25A8,SHA256=3A42727F9189FD791A274CC5AD00DBFBB4B3D5BB6A83F52DE4788389FB00193B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.602{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F1FB53A644720BB007B3422BBC6E25A83A42727F9189FD791A274CC5AD00DBFBB4B3D5BB6A83F52DE4788389FB00193B00000000000000000000000000000000.txt2023-02-01 10:53:21.602 23542300x8000000000000000258901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.599{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\kk.txtMD5=F4C46B450A580AD5ABF0B638DCDCC6FB,SHA256=F2E6E55C102485E232DAAD00F68D8905F7A54F8AE2128DB6AFE25231C17ACD69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.599{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F4C46B450A580AD5ABF0B638DCDCC6FBF2E6E55C102485E232DAAD00F68D8905F7A54F8AE2128DB6AFE25231C17ACD6900000000000000000000000000000000.txt2023-02-01 10:53:21.599 23542300x8000000000000000258899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.596{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\kab.txtMD5=C6AC7AAD8BCE83AC69F197DB9D4529F8,SHA256=B8A7A5182DFDACC9BACCB412E161C60864D3B5D30038935122C736AE4F4EBC22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.596{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\C6AC7AAD8BCE83AC69F197DB9D4529F8B8A7A5182DFDACC9BACCB412E161C60864D3B5D30038935122C736AE4F4EBC2200000000000000000000000000000000.txt2023-02-01 10:53:21.595 23542300x8000000000000000258897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.585{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\kaa.txtMD5=DFBA5C2185E113EEF167A5E21C32DF76,SHA256=4D631602CE3D0C4D9162AF6BF56A90C8EEF75A24D556B729191B62F79ABA0681,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.585{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DFBA5C2185E113EEF167A5E21C32DF764D631602CE3D0C4D9162AF6BF56A90C8EEF75A24D556B729191B62F79ABA068100000000000000000000000000000000.txt2023-02-01 10:53:21.585 23542300x8000000000000000258895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.583{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ka.txtMD5=EB2AF4DC4C28275AE1876523944D708E,SHA256=B78DEFEC49D07120B74C2172F3E07540314771B16729C6BBFC3A1902ECE2EDA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.583{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\EB2AF4DC4C28275AE1876523944D708EB78DEFEC49D07120B74C2172F3E07540314771B16729C6BBFC3A1902ECE2EDA000000000000000000000000000000000.txt2023-02-01 10:53:21.583 23542300x8000000000000000258893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.581{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ja.txtMD5=1E121AB29C3388A0629568D98C25E9E8,SHA256=D86A3453713FBEA8F8D1077589404FF4792362FC1999A2D4B1BD3392180FB7D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.581{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1E121AB29C3388A0629568D98C25E9E8D86A3453713FBEA8F8D1077589404FF4792362FC1999A2D4B1BD3392180FB7D100000000000000000000000000000000.txt2023-02-01 10:53:21.581 23542300x8000000000000000258891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.579{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\it.txtMD5=9A932D9F4FE81F10BAE4F9647896C814,SHA256=B844B4690421478CFB218A32A28665470D1505A65C724CA3F0D40E8CA313ECB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.579{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\9A932D9F4FE81F10BAE4F9647896C814B844B4690421478CFB218A32A28665470D1505A65C724CA3F0D40E8CA313ECB500000000000000000000000000000000.txt2023-02-01 10:53:21.579 23542300x8000000000000000258889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.577{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\is.txtMD5=F361950B7D1BB073EF48CA729B7ED5EA,SHA256=F4F9D6DFD36512F027452499B083AD0656DF6503CE03E4E4CC45B925F1F1D678,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.577{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F361950B7D1BB073EF48CA729B7ED5EAF4F9D6DFD36512F027452499B083AD0656DF6503CE03E4E4CC45B925F1F1D67800000000000000000000000000000000.txt2023-02-01 10:53:21.576 23542300x8000000000000000258887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.575{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\io.txtMD5=DF8BD55B7A296DA48C8705E1D00BAD7E,SHA256=60EDA200D8D995626FDFB1D523F02A9AA538CE5E8EE5028B41293F615A9D451A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.575{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DF8BD55B7A296DA48C8705E1D00BAD7E60EDA200D8D995626FDFB1D523F02A9AA538CE5E8EE5028B41293F615A9D451A00000000000000000000000000000000.txt2023-02-01 10:53:21.575 23542300x8000000000000000258885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.573{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\id.txtMD5=73B9F189F0C37D7CF37DF8DB89FB52AF,SHA256=18C4531E9FC00ED242F1C0526DBCD0A3D1ADA9BCFEE651AE950328AC872A216F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.573{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\73B9F189F0C37D7CF37DF8DB89FB52AF18C4531E9FC00ED242F1C0526DBCD0A3D1ADA9BCFEE651AE950328AC872A216F00000000000000000000000000000000.txt2023-02-01 10:53:21.573 23542300x8000000000000000258883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.571{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\hy.txtMD5=1362C3C286CFF992117D5466BBE284F6,SHA256=D8F60BF92541D20D01F6DDD56D49F25519303FD16E285E18080BE6815B74B8A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.571{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1362C3C286CFF992117D5466BBE284F6D8F60BF92541D20D01F6DDD56D49F25519303FD16E285E18080BE6815B74B8A800000000000000000000000000000000.txt2023-02-01 10:53:21.570 23542300x8000000000000000258881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.569{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\hu.txtMD5=EEBEA9C4E71A5D2820F5E8972822800F,SHA256=EF79E98FC911E0D0D16BD061A65F50F5E50CAA011699852E1608A2629B8BA37D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.568{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\EEBEA9C4E71A5D2820F5E8972822800FEF79E98FC911E0D0D16BD061A65F50F5E50CAA011699852E1608A2629B8BA37D00000000000000000000000000000000.txt2023-02-01 10:53:21.568 23542300x8000000000000000258879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.566{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\hr.txtMD5=A0A8A75560EFCF15801C96E6D71BECC3,SHA256=A72F01215EBA3BE3AF6659129DD20F7A42D74F1DA08658A9C8CE8E303C3E8F64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.566{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\A0A8A75560EFCF15801C96E6D71BECC3A72F01215EBA3BE3AF6659129DD20F7A42D74F1DA08658A9C8CE8E303C3E8F6400000000000000000000000000000000.txt2023-02-01 10:53:21.566 23542300x8000000000000000258877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.564{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\hi.txtMD5=A0FC3C3D880A54918D86B40FFDA12F23,SHA256=8CCE5E5A846196DAC3649483290160177F47D88A7DCF0E85ACFD3131856A266A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.563{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\A0FC3C3D880A54918D86B40FFDA12F238CCE5E5A846196DAC3649483290160177F47D88A7DCF0E85ACFD3131856A266A00000000000000000000000000000000.txt2023-02-01 10:53:21.563 23542300x8000000000000000258875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.561{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\he.txtMD5=1B53819F8D58FD734B5FD985756B557C,SHA256=DCD061A0A7B29F55FA28D4396F60881836C2DF07CD936412C476A7F149540CC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.561{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1B53819F8D58FD734B5FD985756B557CDCD061A0A7B29F55FA28D4396F60881836C2DF07CD936412C476A7F149540CC400000000000000000000000000000000.txt2023-02-01 10:53:21.561 23542300x8000000000000000258873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.559{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\gu.txtMD5=410C8A33C66B4B2BC707E113D9C76914,SHA256=9025D8A58E0C76B186C943EF8A73A1BBA6C08945E346DE14D3C255CCFA3A10E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.559{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\410C8A33C66B4B2BC707E113D9C769149025D8A58E0C76B186C943EF8A73A1BBA6C08945E346DE14D3C255CCFA3A10E600000000000000000000000000000000.txt2023-02-01 10:53:21.559 23542300x8000000000000000258871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.557{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\gl.txtMD5=492E51B4B5B287FE2B90A5F0BD433847,SHA256=54F676333CE58AF67B839B0F0470F99F405B5CE7FDB9C345A19D00B6423277E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.557{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\492E51B4B5B287FE2B90A5F0BD43384754F676333CE58AF67B839B0F0470F99F405B5CE7FDB9C345A19D00B6423277E500000000000000000000000000000000.txt2023-02-01 10:53:21.557 23542300x8000000000000000258869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.553{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ga.txtMD5=B4295E254B9DFC90E0093188257C007C,SHA256=406669ECBDF562E773B9CDF831CF5F63C3DD1A012C3521A41227C9141511D959,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.553{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B4295E254B9DFC90E0093188257C007C406669ECBDF562E773B9CDF831CF5F63C3DD1A012C3521A41227C9141511D95900000000000000000000000000000000.txt2023-02-01 10:53:21.552 23542300x8000000000000000258867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.551{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\fy.txtMD5=0111890C0137974FCE2D79B6D22E5686,SHA256=9FE460264AF4ABD9FF23EAB79387EBB52B4498758645CD5721E75FD7B747E536,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.551{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0111890C0137974FCE2D79B6D22E56869FE460264AF4ABD9FF23EAB79387EBB52B4498758645CD5721E75FD7B747E53600000000000000000000000000000000.txt2023-02-01 10:53:21.550 23542300x8000000000000000258865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.549{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\fur.txtMD5=DFD698A0F6ED7BF405A8FDD6F33B2315,SHA256=FC944EAA7883341372EBD5EF0E2F236CA248B2996A902240A75218541B600E72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.548{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DFD698A0F6ED7BF405A8FDD6F33B2315FC944EAA7883341372EBD5EF0E2F236CA248B2996A902240A75218541B600E7200000000000000000000000000000000.txt2023-02-01 10:53:21.548 23542300x8000000000000000258863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.547{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\fr.txtMD5=B1B6E1C3CF5247EC1618A88F9853D54D,SHA256=CC283E9B0C1822F757372C21F179710C4592A2F7755E706C48065BCFE70BBA5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.547{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B1B6E1C3CF5247EC1618A88F9853D54DCC283E9B0C1822F757372C21F179710C4592A2F7755E706C48065BCFE70BBA5B00000000000000000000000000000000.txt2023-02-01 10:53:21.546 23542300x8000000000000000258861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.545{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\fi.txtMD5=7AC9D88F81AACEF8759E510E9601A4B9,SHA256=24D66C5733314F3F72B7CA0F5CEB5A3246726DDDEFCF2F033715188EDB062DB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.545{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7AC9D88F81AACEF8759E510E9601A4B924D66C5733314F3F72B7CA0F5CEB5A3246726DDDEFCF2F033715188EDB062DB500000000000000000000000000000000.txt2023-02-01 10:53:21.545 23542300x8000000000000000258859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.543{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\fa.txtMD5=6948E051256DCB49DD6E977A30C53881,SHA256=1A368671BCA4EBD97B9EDEB84976EC208CEFF1C251B93870EBCC9D35936FAA06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.543{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6948E051256DCB49DD6E977A30C538811A368671BCA4EBD97B9EDEB84976EC208CEFF1C251B93870EBCC9D35936FAA0600000000000000000000000000000000.txt2023-02-01 10:53:21.543 23542300x8000000000000000258857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.541{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ext.txtMD5=F048977CDC74FF4D1F045FB3FD5D0118,SHA256=3CD8B8633FBC076EE07BF58DA6E01AB692DF461381A2BAD4EF5512C653DA46E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.541{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F048977CDC74FF4D1F045FB3FD5D01183CD8B8633FBC076EE07BF58DA6E01AB692DF461381A2BAD4EF5512C653DA46E400000000000000000000000000000000.txt2023-02-01 10:53:21.540 23542300x8000000000000000258855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.539{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\eu.txtMD5=29EC04893F6B2C9058A8F1E0BEAF9081,SHA256=536D93CA6D7C96D203B51333C4E78DE2429F78D32CC321461589626759C84127,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.539{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\29EC04893F6B2C9058A8F1E0BEAF9081536D93CA6D7C96D203B51333C4E78DE2429F78D32CC321461589626759C8412700000000000000000000000000000000.txt2023-02-01 10:53:21.538 23542300x8000000000000000258853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.537{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\et.txtMD5=54D610C174514D0F60B382249885963C,SHA256=D3FC7E1DD6F0486C99997B75D9D8C5592DA6CFB9B89C3EC4F59E7BC5826B3456,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.536{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\54D610C174514D0F60B382249885963CD3FC7E1DD6F0486C99997B75D9D8C5592DA6CFB9B89C3EC4F59E7BC5826B345600000000000000000000000000000000.txt2023-02-01 10:53:21.536 23542300x8000000000000000258851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.535{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\es.txtMD5=5A449308A0176D6401181BEF4AF13765,SHA256=7DDDAE25296F14C1F45AC032D9C950C3A8D39A41489F9D2B06000EDCFA7A6660,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.535{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5A449308A0176D6401181BEF4AF137657DDDAE25296F14C1F45AC032D9C950C3A8D39A41489F9D2B06000EDCFA7A666000000000000000000000000000000000.txt2023-02-01 10:53:21.534 10341000x8000000000000000258849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.533{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.533{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\eo.txtMD5=53BC9385D0EA9E7E601BBE9B2CD5E3CF,SHA256=D598733B1DD7FA37FD156348BC2BAE5549DBD6C709125D1D40F43EFF6BEC2445,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.532{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\53BC9385D0EA9E7E601BBE9B2CD5E3CFD598733B1DD7FA37FD156348BC2BAE5549DBD6C709125D1D40F43EFF6BEC244500000000000000000000000000000000.txt2023-02-01 10:53:21.532 10341000x8000000000000000258846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.531{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.531{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\en.tttMD5=72EA78FC93365651AA4222B6EBF31BF9,SHA256=4D6405DC6F93C00FA7EFF8BBCAC256D079FF56C5D0EDAAC41BB1A80C0AB2FECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.530{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.529{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\el.txtMD5=812DF218DAE08F9F883A7455015707B2,SHA256=CF90A21C69A13E0D674B6B74E2904F7D9D3BEE594D89862155D94105311F47A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.529{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\812DF218DAE08F9F883A7455015707B2CF90A21C69A13E0D674B6B74E2904F7D9D3BEE594D89862155D94105311F47A700000000000000000000000000000000.txt2023-02-01 10:53:21.529 10341000x8000000000000000258841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.529{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.528{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.527{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\de.txtMD5=40AE22F5BCBEAB6F622771562D584F2B,SHA256=06E5265A2B30807296480DC0B0D3A27E41F1381D61229E4EB239C4930D14A43E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.526{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\40AE22F5BCBEAB6F622771562D584F2B06E5265A2B30807296480DC0B0D3A27E41F1381D61229E4EB239C4930D14A43E00000000000000000000000000000000.txt2023-02-01 10:53:21.526 23542300x8000000000000000258837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.524{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\da.txtMD5=D8ABA2DA47C1031832957B75A6524737,SHA256=F65026AE33D4302A7EF06A856F6F062C9730100F5A87D5C00FB3FEAF5FCD5805,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.524{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\D8ABA2DA47C1031832957B75A6524737F65026AE33D4302A7EF06A856F6F062C9730100F5A87D5C00FB3FEAF5FCD580500000000000000000000000000000000.txt2023-02-01 10:53:21.524 23542300x8000000000000000258835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.523{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\cy.txtMD5=0F5662A68805D859F871EDC07E766A57,SHA256=931DE741A6C8F1348A946623776FE36C55DD2FC384C7B1478225F7467853199E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.522{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0F5662A68805D859F871EDC07E766A57931DE741A6C8F1348A946623776FE36C55DD2FC384C7B1478225F7467853199E00000000000000000000000000000000.txt2023-02-01 10:53:21.522 23542300x8000000000000000258833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.521{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\cs.txtMD5=641B90F9AEDFC68486D0D20B40F7ECA6,SHA256=87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.521{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\641B90F9AEDFC68486D0D20B40F7ECA687A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B83900000000000000000000000000000000.txt2023-02-01 10:53:21.521 23542300x8000000000000000258831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.519{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\co.txtMD5=8E9EBA50A1FD7469D183A3CF4E806BB3,SHA256=0F485681C606F422F6EB7311A1F151873B47EED2832A129C2550B868E6610CD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.519{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8E9EBA50A1FD7469D183A3CF4E806BB30F485681C606F422F6EB7311A1F151873B47EED2832A129C2550B868E6610CD900000000000000000000000000000000.txt2023-02-01 10:53:21.518 10341000x8000000000000000258829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.517{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.516{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ca.txtMD5=1657720023A267B5B625DE17BF292299,SHA256=ED8748DA8FA99DB775FF621D3E801E2830E6C04DA42C0B701095580191A700A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.516{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1657720023A267B5B625DE17BF292299ED8748DA8FA99DB775FF621D3E801E2830E6C04DA42C0B701095580191A700A600000000000000000000000000000000.txt2023-02-01 10:53:21.516 23542300x8000000000000000258826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.514{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\br.txtMD5=C2EB67D788756BE5ECAA0A8CFB3D1E0B,SHA256=0F6BF6749C42C844980DB32EE56CADC987CE245EF650BC7D626D56468A7CBE6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.514{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\C2EB67D788756BE5ECAA0A8CFB3D1E0B0F6BF6749C42C844980DB32EE56CADC987CE245EF650BC7D626D56468A7CBE6A00000000000000000000000000000000.txt2023-02-01 10:53:21.513 23542300x8000000000000000258824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.512{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\bn.txtMD5=D0E788F64268D15B4391F052B1F4B18A,SHA256=216CC780E371DC318C8B15B84DE8A5EC0E28F712B3109A991C8A09CDDAA2A81A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.512{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\D0E788F64268D15B4391F052B1F4B18A216CC780E371DC318C8B15B84DE8A5EC0E28F712B3109A991C8A09CDDAA2A81A00000000000000000000000000000000.txt2023-02-01 10:53:21.511 23542300x8000000000000000258822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.510{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\bg.txtMD5=833AFB4F88FDB5F48245C9B65577DC19,SHA256=4DCABCC8AB8069DB79143E4C62B6B76D2CF42666A09389EACFC35074B61779E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.509{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\833AFB4F88FDB5F48245C9B65577DC194DCABCC8AB8069DB79143E4C62B6B76D2CF42666A09389EACFC35074B61779E300000000000000000000000000000000.txt2023-02-01 10:53:21.509 23542300x8000000000000000258820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.507{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\be.txtMD5=3C21135144AC7452E7DB66F0214F9D68,SHA256=D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.507{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3C21135144AC7452E7DB66F0214F9D68D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E00000000000000000000000000000000.txt2023-02-01 10:53:21.506 10341000x8000000000000000258818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.506{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ba.txtMD5=D83B65AC086DA0C94D6EB57BEE669C2B,SHA256=2901B54F7621C95429658CB4EDB28ABD0CB5B6E257C7D9A364FC468A8B86BAAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.504{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\D83B65AC086DA0C94D6EB57BEE669C2B2901B54F7621C95429658CB4EDB28ABD0CB5B6E257C7D9A364FC468A8B86BAAE00000000000000000000000000000000.txt2023-02-01 10:53:21.504 23542300x8000000000000000258815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.502{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\az.txtMD5=81B732A8B4206FB747BFBFE524DDE192,SHA256=CAEC460E73BD0403C2BCDE7E773459BEA9112D1BFACBE413D4F21E51A5762BA6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.502{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\81B732A8B4206FB747BFBFE524DDE192CAEC460E73BD0403C2BCDE7E773459BEA9112D1BFACBE413D4F21E51A5762BA600000000000000000000000000000000.txt2023-02-01 10:53:21.502 23542300x8000000000000000258813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.499{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ast.txtMD5=1F86AE235BC747A279C9E9EC72675CE4,SHA256=8FCD1B8CE6FED05F406C4B81AEA821132800BC494D3FD6F42A4258A81F8998EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.499{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06259B89200382F20587EEBDDF1247FD,SHA256=BB2823C759997FFAFB7F21977AA65C5AE74D95FD2177DD7FAE5E099DA35761BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.499{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1F86AE235BC747A279C9E9EC72675CE48FCD1B8CE6FED05F406C4B81AEA821132800BC494D3FD6F42A4258A81F8998EC00000000000000000000000000000000.txt2023-02-01 10:53:21.499 10341000x8000000000000000258810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.441{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.432{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\ar.txtMD5=1C45E6A6ECB3B71A7316C466B6A77C1C,SHA256=972261B53289DE2BD8A65E787A6E7CD6DEFC2B5F7E344128F2FE0492ED30CCF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.432{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1C45E6A6ECB3B71A7316C466B6A77C1C972261B53289DE2BD8A65E787A6E7CD6DEFC2B5F7E344128F2FE0492ED30CCF100000000000000000000000000000000.txt2023-02-01 10:53:21.431 10341000x8000000000000000258807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.430{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.429{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\an.txtMD5=BF8564B2DAD5D2506887F87AEE169A0A,SHA256=0E8DD119DFA6C6C1B3ACA993715092CDF1560947871092876D309DBC1940A14A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.428{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BF8564B2DAD5D2506887F87AEE169A0A0E8DD119DFA6C6C1B3ACA993715092CDF1560947871092876D309DBC1940A14A00000000000000000000000000000000.txt2023-02-01 10:53:21.428 23542300x8000000000000000258804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.425{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\Lang\af.txtMD5=FBBE51ACB879B525CC6B19D386697924,SHA256=3793FB69EE9FD958CF15A272B1ED54E4B3D75592836EBCD085DC0E7B1400D1CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.425{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FBBE51ACB879B525CC6B19D3866979243793FB69EE9FD958CF15A272B1ED54E4B3D75592836EBCD085DC0E7B1400D1CB00000000000000000000000000000000.txt2023-02-01 10:53:21.425 10341000x8000000000000000258802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.421{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.416{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.414{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000258799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.411{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000258798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.411{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\History.txtMD5=B1206A5ABF93BC64601A3CAA2DFF47D4,SHA256=24A8A7C00F0BB8AC3096F58F53BD47FA392B8D220C1C43D372100BD692C68E5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.410{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B1206A5ABF93BC64601A3CAA2DFF47D424A8A7C00F0BB8AC3096F58F53BD47FA392B8D220C1C43D372100BD692C68E5F00000000000000000000000000000000.txt2023-02-01 10:53:21.410 23542300x8000000000000000258796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.405{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7zG.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7truetrue 11241100x8000000000000000258795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.404{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5AB26FFD7B3C23A796138640B1737B48EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500F5976AA5B71D78D164DDC61EA72A2DA7.exe2023-02-01 10:53:21.404 23542300x8000000000000000258794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.393{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7zFM.exeMD5=D36DECEEB4C9645AAB2DED86608D090B,SHA256=018D74FF917692124DEE0A8A7E6302AECD219D79B049AD95F2F4EEDEA41B4A45,IMPHASH=3B2AD7C424FBD96489E02FA44B3D6025truetrue 11241100x8000000000000000258793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.393{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\D36DECEEB4C9645AAB2DED86608D090B018D74FF917692124DEE0A8A7E6302AECD219D79B049AD95F2F4EEDEA41B4A453B2AD7C424FBD96489E02FA44B3D6025.exe2023-02-01 10:53:21.392 23542300x8000000000000000258792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.376{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7zCon.sfxMD5=E0EB40842CA3A05B93E8FCF19F0BCC16,SHA256=32DECD776FC0020D399ADCEA54FF1B338110514E598A2788B4D9D7EA82582445,IMPHASH=93ED68D632B1AAD092374477A6B87234truetrue 23542300x8000000000000000258791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.371{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7z.sfxMD5=1FFEC2A95DB8F1FA25D3B275261728B4,SHA256=DD9DBE58CD2F798B432D9BA9BBFFE13D08BF9DC18C9B6A6ECF4BA71B238677E3,IMPHASH=E5D2EC931648BB8AD5E500042E54A614truetrue 23542300x8000000000000000258790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.365{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7z.exeMD5=FE522D8659618E3A50AAFD8AC1518638,SHA256=254CF6411D38903B2440819F7E0A847F0CFEE7F8096CFAD9E90FEA62F42B0C23,IMPHASH=C40FA24FE18ADB90DF2122CA10E52AB2truetrue 11241100x8000000000000000258789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:21.365{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FE522D8659618E3A50AAFD8AC1518638254CF6411D38903B2440819F7E0A847F0CFEE7F8096CFAD9E90FEA62F42B0C23C40FA24FE18ADB90DF2122CA10E52AB2.exe2023-02-01 10:53:21.365 23542300x8000000000000000258788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.349{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025truetrue 11241100x8000000000000000258787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.347{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BBF51226A8670475F283A2D57460D46C73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E4A683D6F78CDDF7C7CDA44D5A4669025.dll2023-02-01 10:53:21.347 23542300x8000000000000000258786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.332{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7-zip32.dllMD5=8D46B86E8A60AE61796C6A95B4ACBE5F,SHA256=6C5DE0800EF7A46174CE4F6EB4703A4B69369E8652D43F9337FBA72EAFDF86B4,IMPHASH=6340889BA59301B71870A620DCA1C9B3truetrue 11241100x8000000000000000258785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:21.331{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8D46B86E8A60AE61796C6A95B4ACBE5F6C5DE0800EF7A46174CE4F6EB4703A4B69369E8652D43F9337FBA72EAFDF86B46340889BA59301B71870A620DCA1C9B3.dll2023-02-01 10:53:21.331 23542300x8000000000000000258784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.327{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\7-Zip\7-zip.chmMD5=34208890A28244903621CD32CC3FBDFC,SHA256=4B6939646570C9DDB5BFD39B8503EED99D8C64337E72F6DD4F9DDCFB4AC76703,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:21.327{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\34208890A28244903621CD32CC3FBDFC4B6939646570C9DDB5BFD39B8503EED99D8C64337E72F6DD4F9DDCFB4AC7670300000000000000000000000000000000.chm2023-02-01 10:53:21.326 23542300x8000000000000000111321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:21.870{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0C9A15AACBB66AFE85DB63BD3509DC,SHA256=D4D6A4F8E1AAB9C1F073F917A5FE7EEA195A0A37183EE55A157D9AE729AEF265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:21.745{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.770{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\seelog.xml.templateMD5=E9529B812CF542DE01123B37DE878356,SHA256=BE8F1FF7E3F906B9712F01F3033E12AEC797670977E4B3F6F4F28488BA6D4058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.768{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\amazon-ssm-agent.json.templateMD5=2C7B824B28C5453E19CCFC21589FA872,SHA256=7060FF77998F5FE609DC15484E7DE69161C8AB18E9B3501465DB2ECFB618E689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.762{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\log4net.dllMD5=DC56476C8F98D89BC64CE34F8F02353A,SHA256=6E72EFEE25B8682FA15974B34109E93FA611370C49C0E9D4DEE0F3B9CDEFC8FF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.756{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\log4net.configMD5=74F18BA17A760B562ECB8A7B7E66F5AF,SHA256=480ED6BDE17847CA5723E32DE155E9945F116DC22BE58DB4CCDF9647ED2B4A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.752{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\System.Threading.dllMD5=F5EE17938D7C545BF62AD955803661C7,SHA256=8A791AF9E3861E231662B657098A823B21A084CBB6A4901D6CCF363405849A78,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.743{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\SmartThreadPool.dllMD5=6EF7779D2552EFA5FB43984D4E731602,SHA256=27F4E01100886D0A425EEEBEE3C803BD6132393DF87026D19E7B7B7A64442474,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.738{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Quartz.dllMD5=619CA541909C6407C572553B3BD7E7DE,SHA256=DC5EAA5F4A3FC4C57C759389AEA825252BB26FBE4E63D89F4A609FE3A2BAE419,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.723{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Newtonsoft.Json.dllMD5=FBD7CC5869DFB0E2F34EF27F6C459D9F,SHA256=BA03235CAE5CF39386BE73D8520AC33A6E2709F878EA58218AB6F7B82AB458B1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.713{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.Unity.dllMD5=6CF12122D85E800592947C99811B3824,SHA256=7910859AFC2969CE1745835FD920766767D079206A5FF10036A92A0C42C9A8A2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.709{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.Unity.Interception.dllMD5=A7C49500E842A0DF60DAC8044C3B30F0,SHA256=871C1DEBC198F2DB7EC709BDFF2E8A20181D6225AEF1262D0F756CE4FA728287,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.704{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.Unity.Configuration.dllMD5=F2E44EBDAF0C1264A7EAF8A6833B5200,SHA256=B92DE6DBBCEA39DC320DCF38DB69C0DB1CA84749F5511A3457B11078FD7EF667,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.701{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.ServiceLocation.dllMD5=6DF78BB163D443D95B21F58808320AF7,SHA256=79E7BE6BE7509A1A5263F0292F1462A57744A7C52C4DA6475C70A5054D08C327,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.698{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.EnterpriseLibrary.Validation.dllMD5=8E620E47505945049CE4785FFDF190D2,SHA256=1818A658908A22989CEFFEB3C0194F720287D46AEB72C236860B9F8F09B8C115,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.689{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Microsoft.Practices.EnterpriseLibrary.Common.dllMD5=DB21FBB2EDE31F5162F5393791984C9F,SHA256=EDE66CC7B1D273BE1F09B366576EF187C25725389A10ACB31FAD4BFC61194796,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.683{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\JetBrains.Annotations.dllMD5=0552DC8CBED9E8575FFB1C29FD97073D,SHA256=09BE37783D713321D8F3FF3BE3B46939A16EA9FA76E92C2DB0CE682362CBFFC7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.681{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Interop.NetFwTypeLib.dllMD5=3425C4CE401A9BDE8CF7C705E657E31B,SHA256=1924D9D3BF1627EE209AED47867660EEB8E1C0E240D2AC805AC54AD0CEAE1B3E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.681{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3425C4CE401A9BDE8CF7C705E657E31B1924D9D3BF1627EE209AED47867660EEB8E1C0E240D2AC805AC54AD0CEAE1B3EDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.681 23542300x8000000000000000259126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.678{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\ICSharpCode.SharpZipLib.dllMD5=5363B612322C9D6AA9C152890F34EA17,SHA256=B519BEEB18270CECFE52B8C1DB2F0F97619B82546ED77D0A27C5E275FB438ED3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Heijden.Dns.dllMD5=95E6A32FFF515A1368572E21E5C74B24,SHA256=61B97C3148D26C9D7F4F2A7A178C3F06B6C21868AA003A155AB67D7A61208E0D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.674{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\95E6A32FFF515A1368572E21E5C74B2461B97C3148D26C9D7F4F2A7A178C3F06B6C21868AA003A155AB67D7A61208E0DDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.674 23542300x8000000000000000259123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.672{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\FluentCommandLineParser.dllMD5=2A8EC6926D3C8A46A1CD0BF64C6C7A1B,SHA256=76C89CACB906A4009814C30E9CA949F2C8FB7C9231E1AE975DD03EF2F81A8BC9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.671{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2A8EC6926D3C8A46A1CD0BF64C6C7A1B76C89CACB906A4009814C30E9CA949F2C8FB7C9231E1AE975DD03EF2F81A8BC9DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.671 23542300x8000000000000000259121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.668{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2ConfigLibrary.dllMD5=1D29C8F4D4326E21E8D8AA9C7F0217C7,SHA256=899CC7D1307ABD3F37837580CD6D33B7CB8B71423C9E046CC71E53E84B4E12CD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.667{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1D29C8F4D4326E21E8D8AA9C7F0217C7899CC7D1307ABD3F37837580CD6D33B7CB8B71423C9E046CC71E53E84B4E12CDDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.667 23542300x8000000000000000259119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.661{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2Config.Plugin.dllMD5=25AB30DB30465064D20DC345241E46A5,SHA256=C126FFBDC4273771A5E3E7AD115D0A9BC456DB25834234EEA862E3C83F63DD2C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.661{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\25AB30DB30465064D20DC345241E46A5C126FFBDC4273771A5E3E7AD115D0A9BC456DB25834234EEA862E3C83F63DD2CDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.661 23542300x8000000000000000259117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.659{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2Config.Plugin.Tools.dllMD5=46C307E82B9EA966B82E819FB56C4EE6,SHA256=9B84EF9A5503E72D87A834BDFDBF0FD26EE903AF6405BEF6E68368F7A71FF652,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.658{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\46C307E82B9EA966B82E819FB56C4EE69B84EF9A5503E72D87A834BDFDBF0FD26EE903AF6405BEF6E68368F7A71FF652DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.658 23542300x8000000000000000259115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.655{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2Config.Plugin.Internal.dllMD5=CA07F2A10FE5424F3C834BAC5D87C849,SHA256=FAAB8FE1244F798B6364AEEE6EABD5D8F6B27745300224D7E30DF38281C5BAFB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.655{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\CA07F2A10FE5424F3C834BAC5D87C849FAAB8FE1244F798B6364AEEE6EABD5D8F6B27745300224D7E30DF38281C5BAFBDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.654 23542300x8000000000000000259113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.649{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2Config.Ec2ConsoleLogger.dllMD5=88ECC764BB09120F63436393CC0563DE,SHA256=7EF3E93CC73B30FE11C53DDF072705A9603BE374582BD0FA33091111D5433336,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.649{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\88ECC764BB09120F63436393CC0563DE7EF3E93CC73B30FE11C53DDF072705A9603BE374582BD0FA33091111D5433336DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.649 23542300x8000000000000000259111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.646{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Ec2Config.Common.dllMD5=363C4878629B7D434480906CB6763D4F,SHA256=76113E7408F097BC97F5DA30B8CEC13B062F237CFD9E373E373262D97D0254D8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.646{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\363C4878629B7D434480906CB6763D4F76113E7408F097BC97F5DA30B8CEC13B062F237CFD9E373E373262D97D0254D8DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.644 23542300x8000000000000000259109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.641{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\Common.Logging.dllMD5=0CA6EA7558F962F2A8E47F2FCBD3F162,SHA256=E25719859D72C0ACC15C97C378CF38013D81B9C7EA6F7E13A55FD4A3C0493C77,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.638{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWSSDK.SimpleSystemsManagement.dllMD5=55573A85CAF34212736B36CC0B458DC0,SHA256=3DBFF80887CF5FC8117394453F4FD54A8D7F0080EB082FA0B1F51460227BB951,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.622{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWSSDK.S3.dllMD5=86BF10D4F2C82DD9E804907B0D1070A4,SHA256=004BCC9EF93C51809F6E5DE7375A11A8F81BECF915F3877AB997455D7C958416,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.622{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\86BF10D4F2C82DD9E804907B0D1070A4004BCC9EF93C51809F6E5DE7375A11A8F81BECF915F3877AB997455D7C958416DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.622 23542300x8000000000000000259105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.577{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWSSDK.EC2Messaging.dllMD5=F6D3D35CE411413060133474DD3DBD58,SHA256=F659A9F96CE2C4F9AF06397474C51B39C91A903C009528F5A6FD2599BEFAF304,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000259104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.575{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWSSDK.DirectoryService.dllMD5=8C2FBD2738BBD802EF29F61C266787A6,SHA256=DAC3079D8637F6BE1E9A75F07824AF3A522A523EB1A3109774EC22B6187BB352,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.574{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8C2FBD2738BBD802EF29F61C266787A6DAC3079D8637F6BE1E9A75F07824AF3A522A523EB1A3109774EC22B6187BB352DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.574 23542300x8000000000000000259102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.528{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWSSDK.Core.dllMD5=0477DF28CDC10FC4377C8E603F3B2F33,SHA256=C086EA269D9249D71788C4C261A1522DEF95DA95FC2B619C86E9B43960E56AD1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.527{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0477DF28CDC10FC4377C8E603F3B2F33C086EA269D9249D71788C4C261A1522DEF95DA95FC2B619C86E9B43960E56AD1DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.527 23542300x8000000000000000259100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.372{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWS.DomainJoin.exe.configMD5=A25B926A25587DACBE9DA0902CB909E9,SHA256=5FF8491CCE4D3692026183E44A11E1DFFF493A7408C239F10576FE1745AD55A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.370{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWS.DomainJoin.exeMD5=94CFFC6CF21D0EB92405E3E92032C61F,SHA256=065F9505237FC83C53E7EADBA661C045FC4DDAE1CAA95AAC7CCCB754768F9577,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 11241100x8000000000000000259098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:22.370{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\94CFFC6CF21D0EB92405E3E92032C61F065F9505237FC83C53E7EADBA661C045FC4DDAE1CAA95AAC7CCCB754768F9577F34D5F2D4577ED6D9CEEC516C1F5A744.exe2023-02-01 10:53:22.370 23542300x8000000000000000259097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.363{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\log4net.dllMD5=DC56476C8F98D89BC64CE34F8F02353A,SHA256=6E72EFEE25B8682FA15974B34109E93FA611370C49C0E9D4DEE0F3B9CDEFC8FF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.362{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DC56476C8F98D89BC64CE34F8F02353A6E72EFEE25B8682FA15974B34109E93FA611370C49C0E9D4DEE0F3B9CDEFC8FFDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.362 23542300x8000000000000000259095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.351{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\System.Threading.dllMD5=F5EE17938D7C545BF62AD955803661C7,SHA256=8A791AF9E3861E231662B657098A823B21A084CBB6A4901D6CCF363405849A78,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.351{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F5EE17938D7C545BF62AD955803661C78A791AF9E3861E231662B657098A823B21A084CBB6A4901D6CCF363405849A78DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.350 23542300x8000000000000000259093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.342{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\SmartThreadPool.dllMD5=6EF7779D2552EFA5FB43984D4E731602,SHA256=27F4E01100886D0A425EEEBEE3C803BD6132393DF87026D19E7B7B7A64442474,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.341{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6EF7779D2552EFA5FB43984D4E73160227F4E01100886D0A425EEEBEE3C803BD6132393DF87026D19E7B7B7A64442474DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.341 23542300x8000000000000000259091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.337{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Quartz.dllMD5=619CA541909C6407C572553B3BD7E7DE,SHA256=DC5EAA5F4A3FC4C57C759389AEA825252BB26FBE4E63D89F4A609FE3A2BAE419,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.336{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\619CA541909C6407C572553B3BD7E7DEDC5EAA5F4A3FC4C57C759389AEA825252BB26FBE4E63D89F4A609FE3A2BAE419DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.336 23542300x8000000000000000259089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.211{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Newtonsoft.Json.dllMD5=FBD7CC5869DFB0E2F34EF27F6C459D9F,SHA256=BA03235CAE5CF39386BE73D8520AC33A6E2709F878EA58218AB6F7B82AB458B1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.210{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FBD7CC5869DFB0E2F34EF27F6C459D9FBA03235CAE5CF39386BE73D8520AC33A6E2709F878EA58218AB6F7B82AB458B1DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.210 23542300x8000000000000000259087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.202{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.Unity.dllMD5=6CF12122D85E800592947C99811B3824,SHA256=7910859AFC2969CE1745835FD920766767D079206A5FF10036A92A0C42C9A8A2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.202{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6CF12122D85E800592947C99811B38247910859AFC2969CE1745835FD920766767D079206A5FF10036A92A0C42C9A8A2DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.201 23542300x8000000000000000259085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.197{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.Unity.Interception.dllMD5=A7C49500E842A0DF60DAC8044C3B30F0,SHA256=871C1DEBC198F2DB7EC709BDFF2E8A20181D6225AEF1262D0F756CE4FA728287,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.197{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\A7C49500E842A0DF60DAC8044C3B30F0871C1DEBC198F2DB7EC709BDFF2E8A20181D6225AEF1262D0F756CE4FA728287DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.197 23542300x8000000000000000259083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.193{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.Unity.Configuration.dllMD5=F2E44EBDAF0C1264A7EAF8A6833B5200,SHA256=B92DE6DBBCEA39DC320DCF38DB69C0DB1CA84749F5511A3457B11078FD7EF667,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.192{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F2E44EBDAF0C1264A7EAF8A6833B5200B92DE6DBBCEA39DC320DCF38DB69C0DB1CA84749F5511A3457B11078FD7EF667DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.192 23542300x8000000000000000259081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.189{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.ServiceLocation.dllMD5=6DF78BB163D443D95B21F58808320AF7,SHA256=79E7BE6BE7509A1A5263F0292F1462A57744A7C52C4DA6475C70A5054D08C327,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.189{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6DF78BB163D443D95B21F58808320AF779E7BE6BE7509A1A5263F0292F1462A57744A7C52C4DA6475C70A5054D08C327DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.188 23542300x8000000000000000259079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.185{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.EnterpriseLibrary.Validation.dllMD5=8E620E47505945049CE4785FFDF190D2,SHA256=1818A658908A22989CEFFEB3C0194F720287D46AEB72C236860B9F8F09B8C115,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.185{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8E620E47505945049CE4785FFDF190D21818A658908A22989CEFFEB3C0194F720287D46AEB72C236860B9F8F09B8C115DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.185 23542300x8000000000000000259077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.175{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.EnterpriseLibrary.Common.dllMD5=DB21FBB2EDE31F5162F5393791984C9F,SHA256=EDE66CC7B1D273BE1F09B366576EF187C25725389A10ACB31FAD4BFC61194796,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.175{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DB21FBB2EDE31F5162F5393791984C9FEDE66CC7B1D273BE1F09B366576EF187C25725389A10ACB31FAD4BFC61194796DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.174 23542300x8000000000000000259075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.167{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Jetbrains.Annotations.dllMD5=0552DC8CBED9E8575FFB1C29FD97073D,SHA256=09BE37783D713321D8F3FF3BE3B46939A16EA9FA76E92C2DB0CE682362CBFFC7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.167{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0552DC8CBED9E8575FFB1C29FD97073D09BE37783D713321D8F3FF3BE3B46939A16EA9FA76E92C2DB0CE682362CBFFC7DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.167 23542300x8000000000000000259073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.164{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\ICSharpCode.SharpZipLib.dllMD5=5363B612322C9D6AA9C152890F34EA17,SHA256=B519BEEB18270CECFE52B8C1DB2F0F97619B82546ED77D0A27C5E275FB438ED3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.163{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5363B612322C9D6AA9C152890F34EA17B519BEEB18270CECFE52B8C1DB2F0F97619B82546ED77D0A27C5E275FB438ED3DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.163 23542300x8000000000000000259071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.126{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Ec2Config.Plugin.dllMD5=3B5FAB7E11CF1B74C1BDD716AA7F670F,SHA256=34075D6E81483349DEB93C89D40A331380CCFE80243DA5632AB28EB38F973F5E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.126{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3B5FAB7E11CF1B74C1BDD716AA7F670F34075D6E81483349DEB93C89D40A331380CCFE80243DA5632AB28EB38F973F5EDAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.125 23542300x8000000000000000259069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.123{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Ec2Config.Plugin.Tools.dllMD5=A0BD4035B103FC4A6D1171E4425E36F6,SHA256=6690B986B43F6781DB92E464959A8D7D0497A98E244AC3C39024748A15260541,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.122{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\A0BD4035B103FC4A6D1171E4425E36F66690B986B43F6781DB92E464959A8D7D0497A98E244AC3C39024748A15260541DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.122 23542300x8000000000000000259067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.120{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Ec2Config.Plugin.Internal.dllMD5=9BD3BD935000277639A8B6B9D2C4CF06,SHA256=19C0EA6E77429F6E17F25B81AE714BD65A179F5032509AFE48C1052D06D6C9F7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.119{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\9BD3BD935000277639A8B6B9D2C4CF0619C0EA6E77429F6E17F25B81AE714BD65A179F5032509AFE48C1052D06D6C9F7DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.119 23542300x8000000000000000259065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.028{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Ec2Config.Ec2ConsoleLogger.dllMD5=F5051FD388F09E50AC09F7D7AADE73EC,SHA256=A0BBE528D090234793091CCC0D6F0AE2D97A3D64786E9FAB73C111E76DCD8735,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.028{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F5051FD388F09E50AC09F7D7AADE73ECA0BBE528D090234793091CCC0D6F0AE2D97A3D64786E9FAB73C111E76DCD8735DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.027 23542300x8000000000000000259063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.025{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Ec2Config.Common.dllMD5=1C8469EA5425911941AA228F6C3A302F,SHA256=4C4383B5678069A9DDF20DF3CBA203CECAE61CA0888194CA99A73BCF4704E969,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.025{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1C8469EA5425911941AA228F6C3A302F4C4383B5678069A9DDF20DF3CBA203CECAE61CA0888194CA99A73BCF4704E969DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.025 23542300x8000000000000000259061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.022{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Common.Logging.dllMD5=0CA6EA7558F962F2A8E47F2FCBD3F162,SHA256=E25719859D72C0ACC15C97C378CF38013D81B9C7EA6F7E13A55FD4A3C0493C77,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.022{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0CA6EA7558F962F2A8E47F2FCBD3F162E25719859D72C0ACC15C97C378CF38013D81B9C7EA6F7E13A55FD4A3C0493C77DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.022 23542300x8000000000000000259059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.019{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.SimpleSystemsManagement.dllMD5=55573A85CAF34212736B36CC0B458DC0,SHA256=3DBFF80887CF5FC8117394453F4FD54A8D7F0080EB082FA0B1F51460227BB951,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.018{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\55573A85CAF34212736B36CC0B458DC03DBFF80887CF5FC8117394453F4FD54A8D7F0080EB082FA0B1F51460227BB951DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.018 23542300x8000000000000000259057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:22.000{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWSSDK.S3.dllMD5=98BA9E65600DBBE6E374CF8457FC75CA,SHA256=9EA8444045E04FD9B989BFE5AD6633F7E12258F4845D2BC0DC3798E488C3C7C1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:22.000{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\98BA9E65600DBBE6E374CF8457FC75CA9EA8444045E04FD9B989BFE5AD6633F7E12258F4845D2BC0DC3798E488C3C7C1DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:22.000 23542300x8000000000000000111323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:22.962{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2EEE0D082748E51803193ACCCA5F12,SHA256=06A2DB26F654AE06BF17DE65E9AA266070530D8C11B8F68374BAE6377E1C3286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.345{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50029-false10.0.1.12-8000- 23542300x8000000000000000259147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:23.907{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\ssm-cli.exeMD5=1275EF856737DF5F586C7A9DD560EC1F,SHA256=0D574F81165258CF48C513B949D3736C6DA2C530E63BE75F6E25F57B1E0F4BD4,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0truetrue 11241100x8000000000000000259146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:23.895{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\1275EF856737DF5F586C7A9DD560EC1F0D574F81165258CF48C513B949D3736C6DA2C530E63BE75F6E25F57B1E0F4BD49CBEFE68F395E67356E2A5D8D1B285C0.exe2023-02-01 10:53:23.895 23542300x8000000000000000259145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:23.882{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B6EA45A320FB06D4A699F0B9AF2D78,SHA256=06CE45201861D6FD96990AF8D2377A4968942249451C3E310384ACF6CD4D9256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:23.082{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E698E0322EF57464B4337D2D1589F75,SHA256=945F6FEED4DF25FFAB96D8F8708ADDD85A8D75A2345CE84616E0570F153A5549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A3-63DA-6101-00000000BC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-44A3-63DA-6101-00000000BC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.993{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A3-63DA-6101-00000000BC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.994{A4BA2B7C-44A3-63DA-6101-00000000BC02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000111337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:20.819{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50030-false10.0.1.12-8089- 10341000x8000000000000000111336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A3-63DA-6001-00000000BC02}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-44A3-63DA-6001-00000000BC02}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A3-63DA-6001-00000000BC02}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:23.322{A4BA2B7C-44A3-63DA-6001-00000000BC02}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:24.911{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\ssm-document-worker.exeMD5=635C47EFBF821CE1BAF1EA48BC588547,SHA256=5C4FB9317C87E90256B88CE247CA821020E064BC704043AA606CBFED5F9C566F,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0truetrue 11241100x8000000000000000259148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:24.895{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\635C47EFBF821CE1BAF1EA48BC5885475C4FB9317C87E90256B88CE247CA821020E064BC704043AA606CBFED5F9C566F9CBEFE68F395E67356E2A5D8D1B285C0.exe2023-02-01 10:53:24.895 10341000x8000000000000000111368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A4-63DA-6201-00000000BC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E05-63DA-0500-00000000BC02}412428C:\Windows\system32\csrss.exe{A4BA2B7C-44A4-63DA-6201-00000000BC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.673{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A4-63DA-6201-00000000BC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.674{A4BA2B7C-44A4-63DA-6201-00000000BC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.517{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B5CB22938FE37734196E784C6B983666,SHA256=B18460D7636A447DD641270009C8B98A3D5E63B2F765A7BA44EB22A095EF712B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.455{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ACACD76ED30E28843A1E077C0897A891,SHA256=F062776B8A026B4E8A15ADA6E71C324327AFF7911AAAF113F9DE024D5620986C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.423{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F624C2B91006772866533200C8CD33,SHA256=F90A46B768F733ED1560AF31DD0F75096FA1C22183A317C4F0DFACDEDBAF7448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.134{A4BA2B7C-44A3-63DA-6101-00000000BC02}34763804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:24.055{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0534581DCFC1F9729DBDF269C9287B67,SHA256=762D3D8908F9C057EDD3D932270BF3A56A78C2870087F63AEC9E211E943387D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:25.505{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E282CC6683411C9D2D46DB4954B528C,SHA256=D1F469C1C654EB1C63B2955BDDA11ED3C011AF8462C1B7AB347CD5153921C36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:25.441{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\ssm-session-logger.exeMD5=B8F07C9200D96D255CB4C4F8501C5223,SHA256=F777477902C1FA791984027E5B78D8E7D2CBCE6D4326001678A62A5933689BBD,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0truetrue 11241100x8000000000000000259150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:25.441{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B8F07C9200D96D255CB4C4F8501C5223F777477902C1FA791984027E5B78D8E7D2CBCE6D4326001678A62A5933689BBD9CBEFE68F395E67356E2A5D8D1B285C0.exe2023-02-01 10:53:25.441 23542300x8000000000000000111369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:25.095{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BB2DF2570CF9B81A1B39B9AFE1AE39,SHA256=42B093592B624BB4ED425E9520B2CC9523DEB8DB4494B2379EB165FA7755577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.982{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xeniface\xeniface.pdbMD5=A43708B95DFA6C6CBB837C0219BEA2C8,SHA256=ED923BF90F61BBEE984F82B89819114CAEE41C7DE09AD2F5AEAE0D9D73AA46DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.936{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xeniface\LiteAgent.pdbMD5=F44E459CC8B9AF71368390AAF6D463A4,SHA256=253043860188C64693625CFAFAFA5AC84D8A6A63CC5AA7813DD33FBB3E9E778F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.720{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenbus\xenfilt.pdbMD5=28E53747FE0EB38F0A332E6A02870BFF,SHA256=D6B15199CBD70678CBF1C7091CDA29DA1EDE569C18D9B1BEBE77CB359EAB85FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.606{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenbus\xenbus.pdbMD5=2D7BBD4AD4026264B05F1A4EBA763E33,SHA256=5AF396747E78A333F9CE463A81E5B579F5FEF49ECB3BC617CBDEF219629E096C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.471{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenbus\xen.pdbMD5=467379A58D003E8E83DD5BD573A5BEBA,SHA256=A897012901162AD3A10DE3F76C3DEE758A8E45FA24CDAB050834E47E24D0B9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.407{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvif\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88truetrue 11241100x8000000000000000259191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.406{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\E7C0450691E0B3D00FC15E823FFEB7795C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419C119D28B8420C26CE25D996F6D25FD88.sys2023-02-01 10:53:26.406 23542300x8000000000000000259190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.401{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvif\xenvif.infMD5=544A34E63B18AA043E7470CC9C519BB0,SHA256=ED639AE4759BD6A241375EA308F40A6C5D1463B173896D55D84D210B63367045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.399{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvif\xenvif.catMD5=29FA35961BD551262C6A36BBC35BAEEC,SHA256=32A771435CDE890C218FDCFCC0B0A801ECD8F962848CE0FFE25F4F3C43ADDCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.394{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvif\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.376{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\xenvbd.sysMD5=97C027440C6BF730EE0C1DF42CBC40DD,SHA256=9FF2AF539996C7A7502DF20ADA7F86F38D5130374700D746FC9AB9B47BD619A0,IMPHASH=85E0FF38FB56CB06E6BE2C87E94EF668truetrue 11241100x8000000000000000259186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.376{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\97C027440C6BF730EE0C1DF42CBC40DD9FF2AF539996C7A7502DF20ADA7F86F38D5130374700D746FC9AB9B47BD619A085E0FF38FB56CB06E6BE2C87E94EF668.sys2023-02-01 10:53:26.375 23542300x8000000000000000259185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.372{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\xenvbd.infMD5=8E6CDF981D8302F2DB0342BEDEBF6439,SHA256=C8734A39370BB30CF9194701EBB7A312F53393782E5D48FA21121355F3E81FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.370{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\xenvbd.catMD5=CA2240D6B6F7269CE5C8C24957920BC8,SHA256=AF9EE9617B0D85E4BDA8AF5B9275608EC87DE314D6FE2BB46ADF5758A532098A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.367{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\xencrsh.sysMD5=2CE5C726C4688857C8668F310AAF2B52,SHA256=71957BC4ED556725FDF275094A029739DFDE3CCCF461531EB70A9413B228C0AF,IMPHASH=5A51E368D0D191BA922C89AD12551EF4truetrue 11241100x8000000000000000259182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.367{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2CE5C726C4688857C8668F310AAF2B5271957BC4ED556725FDF275094A029739DFDE3CCCF461531EB70A9413B228C0AF5A51E368D0D191BA922C89AD12551EF4.sys2023-02-01 10:53:26.366 23542300x8000000000000000259181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.355{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenvbd\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.336{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xennet\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34truetrue 11241100x8000000000000000259179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.335{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7E6757CF81A305710B036475BCEDBC309A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A898773F39C491797C6F3DFFBBE92FB638F34.sys2023-02-01 10:53:26.335 23542300x8000000000000000259178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.331{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xennet\xennet.infMD5=2C521FF98A8CD26AEF1C27F4603AFB0D,SHA256=8E52E02D33A9F3A38C8B5917F75DF614F3651E06E23BE0BC68F15EC38774ECA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.327{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xennet\xennet.catMD5=AA775B43038C35346B933433ABC4C484,SHA256=8EFBF48D9993E7AE31526CF6C0F2A0C51C898A07E28F7C6BDACF7A48466D392A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.323{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xennet\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.307{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9Atruetrue 11241100x8000000000000000259174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.307{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F1A750612F0ED79D435FA3D149331D697416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1B7B4CB7750B42CE3E3BD994E129A5D9A.sys2023-02-01 10:53:26.307 23542300x8000000000000000259173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.302{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\xeniface.infMD5=9EE37612813DCCA6C57F50015CAF8490,SHA256=945D9A70ABC84BAF61B5ECA0FE2A49555B122641E43154574F3162ABBBDB1007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.300{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\xeniface.catMD5=41DB4E5C67FCDA11ECCCB335E76BD259,SHA256=6F5F8F1475FA277FEB2981B6CB0D78264EEB7347F4A874C1A8EF4537D1BD8959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.299{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4204D70BC9E930A93573248899800346,SHA256=F97FDB8FA8074D2DED9BADF885D91CC0C0B6ED3F00BDFECF1930B4164E8B2290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.296{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D486AA15140981B26918162DEA78CE8,SHA256=E5D71B20CD40C464231714C2AAA0AD41538D1609505014BD6F3A3EA7437C2A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.296{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.281{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\LiteAgent.exeMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8truetrue 11241100x8000000000000000259167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:26.280{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3727559C2C2FE26EE668086FAF9928158130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06C8B18E9A517CB77EA7AB3E7295D84FE8.exe2023-02-01 10:53:26.280 23542300x8000000000000000259166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.271{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xeniface\LiteAgent.dllMD5=40971086808971CE22C486760C95D551,SHA256=1F4A933430BCD27AB6170C987BEE05ACDDA273C28CB4D83EF87B65FA4E18F7F5,IMPHASH=00000000000000000000000000000000truetrue 11241100x8000000000000000259165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:26.270{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\40971086808971CE22C486760C95D5511F4A933430BCD27AB6170C987BEE05ACDDA273C28CB4D83EF87B65FA4E18F7F500000000000000000000000000000000.dll2023-02-01 10:53:26.270 23542300x8000000000000000259164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.266{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\xenfilt.sysMD5=251186A4E15033378C635505027D8685,SHA256=46D400550B8908EBD251C1EE6C446E3692BC4A6125E435B905F1B3F8F9CABDB0,IMPHASH=E282E2A264BFDE37CEF40F00CD404F58truetrue 11241100x8000000000000000259163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.266{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\251186A4E15033378C635505027D868546D400550B8908EBD251C1EE6C446E3692BC4A6125E435B905F1B3F8F9CABDB0E282E2A264BFDE37CEF40F00CD404F58.sys2023-02-01 10:53:26.266 23542300x8000000000000000259162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.262{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\xenbus.sysMD5=470A2C1B36793688D14C7F1D8DB4FC1F,SHA256=0C12BF700184AB69058BF4CDADB463CACF1EE13193911285F29F732F1596CB1D,IMPHASH=6EE3B00EBC15EFEDECB5C715ADFD9926truetrue 11241100x8000000000000000259161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.261{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\470A2C1B36793688D14C7F1D8DB4FC1F0C12BF700184AB69058BF4CDADB463CACF1EE13193911285F29F732F1596CB1D6EE3B00EBC15EFEDECB5C715ADFD9926.sys2023-02-01 10:53:26.259 23542300x8000000000000000259160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.254{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\xenbus.infMD5=C7231671BB24E18393D8848347E978C0,SHA256=E78C39736B901B3E12A7D4E13678A6070E59F08BA195547111D586D92368A6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.247{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\xenbus.catMD5=783E72F5D1ADE58053C2101113BAF3E0,SHA256=C27F74DEDE0727424EDA9DCBBC4A77D12AD1D8298DAD6B6ACC44B24CB821BAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.241{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\xen.sysMD5=7E0658E0671FD502BDFDA9A34794E6E5,SHA256=06DFC4ED3EB8025E0CA365F44E45436B9B97DBF5323F56A920220DB1B4FA09DE,IMPHASH=CE4EB3908D3EE4E5E04DB5AEC6CF56CCtruetrue 11241100x8000000000000000259157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.240{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7E0658E0671FD502BDFDA9A34794E6E506DFC4ED3EB8025E0CA365F44E45436B9B97DBF5323F56A920220DB1B4FA09DECE4EB3908D3EE4E5E04DB5AEC6CF56CC.sys2023-02-01 10:53:26.240 23542300x8000000000000000259156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.235{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Drivers\xenbus\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 11241100x8000000000000000259155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:26.234{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B5F75FCCE7C32239378983A3A3C331D407ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B3EACB9638877275335DA4B58E52824F8.exe2023-02-01 10:53:26.234 23542300x8000000000000000259154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:26.156{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\SSM\ssm-session-worker.exeMD5=E486ACB8760B5389686066C9C4AF8850,SHA256=16F4A22F7C13185BF508B4FC6DD7E2FCC0D9B39EEF69473AE332EAE90AE5A719,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0truetrue 11241100x8000000000000000259153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:26.130{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\E486ACB8760B5389686066C9C4AF885016F4A22F7C13185BF508B4FC6DD7E2FCC0D9B39EEF69473AE332EAE90AE5A7199CBEFE68F395E67356E2A5D8D1B285C0.exe2023-02-01 10:53:26.130 10341000x8000000000000000111384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.852{A4BA2B7C-44A6-63DA-6301-00000000BC02}40322704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A6-63DA-6301-00000000BC02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-44A6-63DA-6301-00000000BC02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.665{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A6-63DA-6301-00000000BC02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.666{A4BA2B7C-44A6-63DA-6301-00000000BC02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.161{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C720AE12CBC42255B7A26DF806A400D4,SHA256=D990EA0BD69CEB4B7AA419A5DDC0BFAB7D18B10BE999639F3516275323366967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.921{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenbus\xenfilt.pdbMD5=28E53747FE0EB38F0A332E6A02870BFF,SHA256=D6B15199CBD70678CBF1C7091CDA29DA1EDE569C18D9B1BEBE77CB359EAB85FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.903{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenbus\xenbus.pdbMD5=2D7BBD4AD4026264B05F1A4EBA763E33,SHA256=5AF396747E78A333F9CE463A81E5B579F5FEF49ECB3BC617CBDEF219629E096C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.899{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A499D797335BF901975613A0451047F7,SHA256=03EB52BD7249A1BE9D40A76747676A43B28AA1638627ADD98F77B4BEF9A77297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.881{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenbus\xen.pdbMD5=467379A58D003E8E83DD5BD573A5BEBA,SHA256=A897012901162AD3A10DE3F76C3DEE758A8E45FA24CDAB050834E47E24D0B9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.862{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\PreparationText.rtfMD5=74FEC71288E7374507FF15CB0697B6C5,SHA256=AC9001E712D16AE4091019A513061730A7AFF7F27A54EA1767593787851B18D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.862{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\74FEC71288E7374507FF15CB0697B6C5AC9001E712D16AE4091019A513061730A7AFF7F27A54EA1767593787851B18D900000000000000000000000000000000.rtf2023-02-01 10:53:27.861 23542300x8000000000000000259239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.859{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Newtonsoft.Json.DLLMD5=95044CC7B85C33F9132CF258F3E9618C,SHA256=8DA65EFC680600C50DDBEDEA524CBCA889F3C9BB5FE9287952BFA1A6D24FC711,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:27.858{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\95044CC7B85C33F9132CF258F3E9618C8DA65EFC680600C50DDBEDEA524CBCA889F3C9BB5FE9287952BFA1A6D24FC711DAE02F32A21E03CE65412F6E56942DAA.DLL2023-02-01 10:53:27.858 23542300x8000000000000000259237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.776{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\LiteAgent.exeMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8truetrue 23542300x8000000000000000259236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.771{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\LiteAgent.dllMD5=40971086808971CE22C486760C95D551,SHA256=1F4A933430BCD27AB6170C987BEE05ACDDA273C28CB4D83EF87B65FA4E18F7F5,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000259235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.769{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\InstallerClass.dllMD5=CD3C6509320DDF3E1DC83A8E7EE05C14,SHA256=0BE55D7FCE18F5180DE9790B6D7C3942965EB903628C22D80AC5BCCE6D094145,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:27.769{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\CD3C6509320DDF3E1DC83A8E7EE05C140BE55D7FCE18F5180DE9790B6D7C3942965EB903628C22D80AC5BCCE6D094145DAE02F32A21E03CE65412F6E56942DAA.dll2023-02-01 10:53:27.769 23542300x8000000000000000259233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.767{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\InstallerClass.InstallStateMD5=8340E57C6861AA09B7AC38E04EE8E33D,SHA256=A9E636FFAA636D4FDA92BCEE8422B7ABF8ABCF0BCF5FF860CEAF23E327FE0B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.765{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Installer.exe.configMD5=AC8CBE09AC87C29FB067B862F650DF27,SHA256=11716E0949DF3EB34FD11AAAA8D23BAA21525619350D2D5CCF4CE9A8CF11019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.763{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Installer.exeMD5=AAFC03CD61BB7BE0476697E4219F925E,SHA256=B0B5958027C6ECC40A7258BD19625D2275BDEECE3C622BFBE663713A1DB51BE8,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 11241100x8000000000000000259230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:27.762{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\AAFC03CD61BB7BE0476697E4219F925EB0B5958027C6ECC40A7258BD19625D2275BDEECE3C622BFBE663713A1DB51BE8F34D5F2D4577ED6D9CEEC516C1F5A744.exe2023-02-01 10:53:27.762 23542300x8000000000000000259229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.758{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvif\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88truetrue 23542300x8000000000000000259228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.719{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvif\xenvif.infMD5=544A34E63B18AA043E7470CC9C519BB0,SHA256=ED639AE4759BD6A241375EA308F40A6C5D1463B173896D55D84D210B63367045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.717{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvif\xenvif.catMD5=29FA35961BD551262C6A36BBC35BAEEC,SHA256=32A771435CDE890C218FDCFCC0B0A801ECD8F962848CE0FFE25F4F3C43ADDCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.712{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvif\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.626{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\xenvbd.sysMD5=97C027440C6BF730EE0C1DF42CBC40DD,SHA256=9FF2AF539996C7A7502DF20ADA7F86F38D5130374700D746FC9AB9B47BD619A0,IMPHASH=85E0FF38FB56CB06E6BE2C87E94EF668truetrue 23542300x8000000000000000259224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.621{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\xenvbd.infMD5=8E6CDF981D8302F2DB0342BEDEBF6439,SHA256=C8734A39370BB30CF9194701EBB7A312F53393782E5D48FA21121355F3E81FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.619{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\xenvbd.catMD5=CA2240D6B6F7269CE5C8C24957920BC8,SHA256=AF9EE9617B0D85E4BDA8AF5B9275608EC87DE314D6FE2BB46ADF5758A532098A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.616{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\xendisk.sysMD5=39294EE2BA5B853C217248D23E885F9B,SHA256=931CA19CD83F5BB8911067D61FA91952DA014014E55379008F748C1E8B9C3087,IMPHASH=2BAA4E1BB7E726DE3B6AEE98F89EED25truetrue 11241100x8000000000000000259221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.616{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\39294EE2BA5B853C217248D23E885F9B931CA19CD83F5BB8911067D61FA91952DA014014E55379008F748C1E8B9C30872BAA4E1BB7E726DE3B6AEE98F89EED25.sys2023-02-01 10:53:27.616 23542300x8000000000000000259220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.613{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\xencrsh.sysMD5=2CE5C726C4688857C8668F310AAF2B52,SHA256=71957BC4ED556725FDF275094A029739DFDE3CCCF461531EB70A9413B228C0AF,IMPHASH=5A51E368D0D191BA922C89AD12551EF4truetrue 23542300x8000000000000000259219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.604{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenvbd\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.589{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xennet\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34truetrue 23542300x8000000000000000259217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.585{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xennet\xennet.infMD5=2C521FF98A8CD26AEF1C27F4603AFB0D,SHA256=8E52E02D33A9F3A38C8B5917F75DF614F3651E06E23BE0BC68F15EC38774ECA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.583{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xennet\xennet.catMD5=AA775B43038C35346B933433ABC4C484,SHA256=8EFBF48D9993E7AE31526CF6C0F2A0C51C898A07E28F7C6BDACF7A48466D392A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.578{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xennet\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.528{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xeniface\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9Atruetrue 23542300x8000000000000000259213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.523{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xeniface\xeniface.infMD5=9EE37612813DCCA6C57F50015CAF8490,SHA256=945D9A70ABC84BAF61B5ECA0FE2A49555B122641E43154574F3162ABBBDB1007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.521{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xeniface\xeniface.catMD5=41DB4E5C67FCDA11ECCCB335E76BD259,SHA256=6F5F8F1475FA277FEB2981B6CB0D78264EEB7347F4A874C1A8EF4537D1BD8959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.517{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xeniface\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\xenfilt.sysMD5=251186A4E15033378C635505027D8685,SHA256=46D400550B8908EBD251C1EE6C446E3692BC4A6125E435B905F1B3F8F9CABDB0,IMPHASH=E282E2A264BFDE37CEF40F00CD404F58truetrue 23542300x8000000000000000259209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.499{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\xenbus.sysMD5=470A2C1B36793688D14C7F1D8DB4FC1F,SHA256=0C12BF700184AB69058BF4CDADB463CACF1EE13193911285F29F732F1596CB1D,IMPHASH=6EE3B00EBC15EFEDECB5C715ADFD9926truetrue 23542300x8000000000000000259208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.495{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\xenbus.infMD5=C7231671BB24E18393D8848347E978C0,SHA256=E78C39736B901B3E12A7D4E13678A6070E59F08BA195547111D586D92368A6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.493{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\xenbus.catMD5=783E72F5D1ADE58053C2101113BAF3E0,SHA256=C27F74DEDE0727424EDA9DCBBC4A77D12AD1D8298DAD6B6ACC44B24CB821BAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.490{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\xen.sysMD5=7E0658E0671FD502BDFDA9A34794E6E5,SHA256=06DFC4ED3EB8025E0CA365F44E45436B9B97DBF5323F56A920220DB1B4FA09DE,IMPHASH=CE4EB3908D3EE4E5E04DB5AEC6CF56CCtruetrue 23542300x8000000000000000259205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.485{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Drivers\xenbus\dpinst.exeMD5=B5F75FCCE7C32239378983A3A3C331D4,SHA256=07ACBFF9A241CF67051807D261066DB56B159E3E25B26FEB8564A7ED1BC74E8B,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 23542300x8000000000000000259204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.464{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\AWSPVDriverMSI.logMD5=AD8635783E228EB2E8E37BC61DDA7EC0,SHA256=1B4B4B7570C10BE6A5730D67FEA785B8DDA2C7206EF772F8D9457AFD88266886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.382{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenvif\xenvif.pdbMD5=52E66507550875C4497C9B1714033C42,SHA256=286C2257C15FAB8049E1606B9023B9712C1C56399C277CD21D4743DD907EF290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.287{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenvbd\xenvbd.pdbMD5=18BD074783FE9573140A8ADDB0B4ADDA,SHA256=20C0432BF097FE5CFA2065D6F44385BCA5A8FC63D810E806C5784CF0B83F17CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.189{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xenvbd\xencrsh.pdbMD5=0FE4D3B932BFE65E30BC25FF15395880,SHA256=86BC5C69D8A561B8EAF1FDEDE8602ACE1E81FE6F2A988F6256A77951359C8707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.095{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE9F444942CB2162ABCD4645C02BCE,SHA256=C0FC17667A7B40B46E46E2678CE6F1E3A1A8287269CFA2CC98747AAAD62B437A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:24.063{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000259198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:27.000{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\.Symbols\xennet\xennet.pdbMD5=BE10DFC54DD5CC6EE88492FE2D096DA9,SHA256=17195987020BEC13D032B00828102226948156573FD9B05B8559454DCC1EFF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A7-63DA-6501-00000000BC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-44A7-63DA-6501-00000000BC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.984{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A7-63DA-6501-00000000BC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.985{A4BA2B7C-44A7-63DA-6501-00000000BC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000111405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.485{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.461{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000111398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.337{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.338{A4BA2B7C-44A7-63DA-6401-00000000BC02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:27.243{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2590B937E6D90E2F8332E3064BC97F69,SHA256=AA2F9EB4D5D526FF84ADD5AD2ECDEB2AF4DF7675157CF028D56713608AFA78F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\libssl-1_1.dllMD5=8769ADAFCA3A6FC6EF26F01FD31AFA84,SHA256=2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071,IMPHASH=3ADF02A15243FCCC51BEB2B37FBF071Dtruetrue 11241100x8000000000000000259295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:28.996{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\8769ADAFCA3A6FC6EF26F01FD31AFA842AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC050713ADF02A15243FCCC51BEB2B37FBF071D.dll2023-02-01 10:53:28.996 23542300x8000000000000000259294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.967{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\library.zipMD5=DFF654541C044D78DBF4B683732BE4B6,SHA256=83EB32A956D152E6EDC7C1361DC4EDDAA0501D2415CBFA383015777A476FC0E4,IMPHASH=420F1B1EBA5D9F1DE2CCC2B639E132CDtruetrue 23542300x8000000000000000259293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.797{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\libffi-7.dllMD5=EEF7981412BE8EA459064D3090F4B3AA,SHA256=F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081,IMPHASH=3DC8B86D60F90A1851EEE5F9DC191312truetrue 11241100x8000000000000000259292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:28.795{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\EEF7981412BE8EA459064D3090F4B3AAF60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB504050813DC8B86D60F90A1851EEE5F9DC191312.dll2023-02-01 10:53:28.795 23542300x8000000000000000259291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.783{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\libcrypto-1_1.dllMD5=6F4B8EB45A965372156086201207C81F,SHA256=976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541,IMPHASH=11F2ED72076BBF7871EB95FD5B4E84B0truetrue 11241100x8000000000000000259290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:28.780{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\6F4B8EB45A965372156086201207C81F976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB14954111F2ED72076BBF7871EB95FD5B4E84B0.dll2023-02-01 10:53:28.780 23542300x8000000000000000259289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.698{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BC31A1B062BED2B88282720391FEDB,SHA256=6B8159CC5AD94B732570FF05D06928213B351D3E0A915B00CBAD0FC81018C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.677{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\endpoints.jsonMD5=9A131CC8A2B3FEC8DFBCF133B11C9A98,SHA256=D6E87C6C13A69C6AF010A7D1971FB94387199F7857909AC2CE1D27B09B84D3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exeMD5=0D518B4D00C9F9FE4F61237F732DE694,SHA256=638EDDA31509FDE7E02690D1E25FFEB3DC8F000B38FFE84E288B47067B220305,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.674{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\0D518B4D00C9F9FE4F61237F732DE694638EDDA31509FDE7E02690D1E25FFEB3DC8F000B38FFE84E288B47067B220305B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.674 23542300x8000000000000000259285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.672{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-send-cmd-result.exeMD5=35B71AACF8574AF93C5DB85D8115A0EE,SHA256=7E4D305E3A1258F69B86E20A729EF80D50F8BABF6E10C782D4EC35659F345105,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.672{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\35B71AACF8574AF93C5DB85D8115A0EE7E4D305E3A1258F69B86E20A729EF80D50F8BABF6E10C782D4EC35659F345105B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.671 23542300x8000000000000000259283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.667{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-send-cmd-event.exeMD5=57C56AF0277FF62434174C0D199D4696,SHA256=C38321F5D1DA9953F6D5A5489494A5DE000EEFFF5EAED9D546F7353377C39B8E,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.667{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\57C56AF0277FF62434174C0D199D4696C38321F5D1DA9953F6D5A5489494A5DE000EEFFF5EAED9D546F7353377C39B8EB588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.667 23542300x8000000000000000259281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.664{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-init.exeMD5=DF5FC713F1D620816D24642F92454649,SHA256=B66AAE57232C5E7C8FCFD97E386448775471FCF461C8BE59EC37F0F405AEA21A,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.664{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DF5FC713F1D620816D24642F92454649B66AAE57232C5E7C8FCFD97E386448775471FCF461C8BE59EC37F0F405AEA21AB588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.663 23542300x8000000000000000259279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.660{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-hup.exeMD5=ED574D23E1A690592EC1F81BD6127CC3,SHA256=56B0B98EFE38AF4A317909A29CE04B185344B32F51784C40342E62C0D6B97175,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.659{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\ED574D23E1A690592EC1F81BD6127CC356B0B98EFE38AF4A317909A29CE04B185344B32F51784C40342E62C0D6B97175B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.659 23542300x8000000000000000259277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.656{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-get-metadata.exeMD5=19541C2E670742685B41CA1EC9F21E3C,SHA256=F331745610E84D120BC88B0F0B0BC7A310B7F501F5B62F2F6B4E979AD6D64240,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.656{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\19541C2E670742685B41CA1EC9F21E3CF331745610E84D120BC88B0F0B0BC7A310B7F501F5B62F2F6B4E979AD6D64240B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.655 23542300x8000000000000000259275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.644{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cfn-elect-cmd-leader.exeMD5=F66BD1C969646835EF0B44F13A4BE833,SHA256=91FC2B8002893FC4B980998CD0375CBE3B4227D853354D632CFB2293B2C06E39,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.644{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\F66BD1C969646835EF0B44F13A4BE83391FC2B8002893FC4B980998CD0375CBE3B4227D853354D632CFB2293B2C06E39B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:28.644 23542300x8000000000000000259273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.639{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\cacert.pemMD5=26D945217CDD5621F75EED6CD911C856,SHA256=5DF7376B335ACDA563F5904FC1FEB9B5A2D5F30ABE0DE0BCF03419AB5684418E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_win32sysloader.pydMD5=620459731FA689A92BFB793923574023,SHA256=8FE5DD427CA4C32F143197E4A4EA6638D77D3B88E8E8DAE8AABD54ECBD57FDA3,IMPHASH=879AB91058478E56351A7BA0DB265D84truetrue 23542300x8000000000000000259271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.626{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_uuid.pydMD5=041556420BDB334A71765D33229E9945,SHA256=8B3D4767057C18C1C496E138D4843F25E5C98DDFC6A8D1B0ED46FD938EDE5BB6,IMPHASH=CB226E072CA26A11E01B792EDFBA8B4Atruetrue 23542300x8000000000000000259270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.623{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_ssl.pydMD5=9DDB64354EF0B91C6999A4B244A0A011,SHA256=E33B7A4AA5CDD5462EE66830636FDD38048575A43D06EB7E2F688358525DDEAB,IMPHASH=60A4BC7B5A2891D0543CEAB618F6CFD2truetrue 23542300x8000000000000000259269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.617{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_socket.pydMD5=0F5E64E33F4D328EF11357635707D154,SHA256=8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE,IMPHASH=4818D4EF8972C1CB7F81D7535D8855B4truetrue 23542300x8000000000000000259268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.614{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_queue.pydMD5=52D0A6009D3DE40F4FA6EC61DB98C45C,SHA256=007BCF19D9B036A7E73F5EF31F39BFB1910F72C9C10E4A1B0658352CFE7A8B75,IMPHASH=5D36E81FB0694D2F72E478D60DF5EDC0truetrue 23542300x8000000000000000259267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.611{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_lzma.pydMD5=0A94C9F3D7728CF96326DB3AB3646D40,SHA256=0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31,IMPHASH=EC321FE6F6AE9199BAB3D28C705C7554truetrue 23542300x8000000000000000259266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.606{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_hashlib.pydMD5=D856A545A960BF2DCA1E2D9BE32E5369,SHA256=CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3,IMPHASH=DD99273B45BAEFE9626061E94EC53345truetrue 23542300x8000000000000000259265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_elementtree.pydMD5=1DCD7EBE6ACADDF16C805D8094451F3D,SHA256=D90414E40FB283ED4633924613DAC671580BF7DB926DA37346AA230380860933,IMPHASH=4520D9259EC386A4BFFADA413311EBC7truetrue 23542300x8000000000000000259264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.598{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_decimal.pydMD5=6339FA92584252C3B24E4CCE9D73EF50,SHA256=4AE6F6FB3992BB878416211221B3D62515E994D78F72EAB51E0126CA26D0EE96,IMPHASH=8D495F7690547320CD4BC3D251892F87truetrue 23542300x8000000000000000259263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.537{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_ctypes.pydMD5=CA4CEF051737B0E4E56B7D597238DF94,SHA256=E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B,IMPHASH=3709E7A20CC84A81B9084310159B1691truetrue 23542300x8000000000000000259262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.532{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\_bz2.pydMD5=BBE89CF70B64F38C67B7BF23C0EA8A48,SHA256=775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723,IMPHASH=35A9DACF9F79C03B0381C7EB4EBF6710truetrue 23542300x8000000000000000259261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.527{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\LICENSE.rtfMD5=716262D77C92BBB6CBD477A4120AF0B4,SHA256=9F334335A55D48D203193AB190F77367959DA4CC2AC2670D69A191099CC3EB0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.526{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\716262D77C92BBB6CBD477A4120AF0B49F334335A55D48D203193AB190F77367959DA4CC2AC2670D69A191099CC3EB0F00000000000000000000000000000000.rtf2023-02-01 10:53:28.526 23542300x8000000000000000259259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.449{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\log4net.DLLMD5=E4795A2EAE874F2D50C252945641B49B,SHA256=DEEE8B348C2A730186DA5308D381E5ABA82F87DD5C55F1AFA0B8E67FAE79273D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000259258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:28.449{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\E4795A2EAE874F2D50C252945641B49BDEEE8B348C2A730186DA5308D381E5ABA82F87DD5C55F1AFA0B8E67FAE79273DDAE02F32A21E03CE65412F6E56942DAA.DLL2023-02-01 10:53:28.448 23542300x8000000000000000259257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.443{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\icon.icoMD5=2A0BBC6692DA47CAA5025D396FFC081F,SHA256=B89E75C370E9D4F2B4BF1F398BB8B55771906B9B046FECA58FB80AAF8FA3D8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.439{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\dpinst.exeMD5=9B79FA8274CE828D6D34B31F22982BBF,SHA256=D4349F8FC976996DBE862C185AAD75AEF4634E0367E51BCBBF12CCAEBBB59C39,IMPHASH=3EACB9638877275335DA4B58E52824F8truetrue 11241100x8000000000000000259255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.438{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\9B79FA8274CE828D6D34B31F22982BBFD4349F8FC976996DBE862C185AAD75AEF4634E0367E51BCBBF12CCAEBBB59C393EACB9638877275335DA4B58E52824F8.exe2023-02-01 10:53:28.438 23542300x8000000000000000259254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.427{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\XenStore_Client.exeMD5=5FD3831D176CD3D8640832C5B66DE646,SHA256=D6EA866CDF346F5D77B25E2DEFC85039D6064A9F4110E1D6E93B2CEA5D1988FA,IMPHASH=7B022230051F87318BF767AC43EB68F8truetrue 11241100x8000000000000000259253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:28.427{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\5FD3831D176CD3D8640832C5B66DE646D6EA866CDF346F5D77B25E2DEFC85039D6064A9F4110E1D6E93B2CEA5D1988FA7B022230051F87318BF767AC43EB68F8.exe2023-02-01 10:53:28.426 23542300x8000000000000000259252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.418{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenvif\xenvif.pdbMD5=52E66507550875C4497C9B1714033C42,SHA256=286C2257C15FAB8049E1606B9023B9712C1C56399C277CD21D4743DD907EF290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.383{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenvbd\xenvbd.pdbMD5=18BD074783FE9573140A8ADDB0B4ADDA,SHA256=20C0432BF097FE5CFA2065D6F44385BCA5A8FC63D810E806C5784CF0B83F17CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.367{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenvbd\xendisk.pdbMD5=414EA2B3D2B5D69F01F2EA29908061A3,SHA256=799441897AC67C342CC86D5C5E1C5D2B4D2F17FFDF5B9FBB24CD9DE71A29F188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.280{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xenvbd\xencrsh.pdbMD5=0FE4D3B932BFE65E30BC25FF15395880,SHA256=86BC5C69D8A561B8EAF1FDEDE8602ACE1E81FE6F2A988F6256A77951359C8707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.263{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xennet\xennet.pdbMD5=BE10DFC54DD5CC6EE88492FE2D096DA9,SHA256=17195987020BEC13D032B00828102226948156573FD9B05B8559454DCC1EFF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.247{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xeniface\xeniface.pdbMD5=A43708B95DFA6C6CBB837C0219BEA2C8,SHA256=ED923BF90F61BBEE984F82B89819114CAEE41C7DE09AD2F5AEAE0D9D73AA46DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:28.212{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\XenTools\Symbols\xeniface\LiteAgent.pdbMD5=F44E459CC8B9AF71368390AAF6D463A4,SHA256=253043860188C64693625CFAFAFA5AC84D8A6A63CC5AA7813DD33FBB3E9E778F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:26.240{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50031-false10.0.1.12-8000- 23542300x8000000000000000111420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:28.345{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC1D38DC4A771F94D6DC6FDE8CA427A,SHA256=646F28FC8E6BBF44457955A7ADFFC3B5ED388F35873119648B94869AF72772CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:28.173{A4BA2B7C-44A7-63DA-6501-00000000BC02}8641936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000259329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.986{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\response-sets\aurora-lite.yml.sigMD5=6E0D7E30E1CBCE1DA3501784CA1D0C31,SHA256=BEBE462D1B76E0717630D643542C10F051DFE3752445098AF5D9688E2FAD0209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.985{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\response-sets\aurora-lite.ymlMD5=AAFCF1CC2453BAC632C241AADC0F3342,SHA256=93EAEE4E5430AA035E569DC69E7F7A047458C04DC189908D9EBAB438696C3B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.983{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\log-sources\event-log-sources.ymlMD5=98A75862C5C3D135D6C8FC9FBDBB98E9,SHA256=C1196789E22B9799233E5250C13D794B398FB0C37F084B6196A1847D4F26AC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.981{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\log-sources\etw-log-sources-standard.ymlMD5=3F0498E603F2E03D20F976769723B32E,SHA256=E5819F86CE789244B780A487EAF8951E97BE26287EAE3B2266CFA1DCC67F8B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.979{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\log-sources\etw-log-source-mappings.ymlMD5=2625BB6302FF30495B388B6402A8C3E0,SHA256=161920AE39A9480B1B2342C81E537601D2A457B5CDB87651C668FDD02247BA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.976{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\ioc-configs\ioc-config-standard.ymlMD5=E5F09DD8F058D9FC2A874C568B49EC58,SHA256=1E7EDA57FD6A90F1DA4599A6029717583DFB006744FCA23D246B9FA8115A2ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.973{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\config\process-excludes.cfgMD5=9A05DF81A593EF2F587FBA2BA8345DE7,SHA256=1CE2CD1AC809DAA0ABF44F78FD757F150F6F0AB5F2B0713CDA9968A90C71D06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.972{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\config\false-positives.cfgMD5=6530781746932DFBE99D479E5D28EE6B,SHA256=A8B7D28C3FA3C8BC23990A397800007D6C661BF6E102F7789CD92DD56220A4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.969{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\aurora-license.licMD5=6BEDA56036FBE184DD0950FD24ACFD59,SHA256=6C9187BD4946B5FBBF4D0F11EC0B2082B049A7343CD43D4659BF572750129731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.928{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\aurora-agent-util.exeMD5=3942CA0103288F434CA0D40D223DF8CE,SHA256=B0B975B5C0102D20BEECAA1CBC21440514BAE8D6AFC48547F10A5BB407F94BBA,IMPHASH=83E64C635C9535CCFBA8CE9CB89BEC7Ctruetrue 11241100x8000000000000000259319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:29.912{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\3942CA0103288F434CA0D40D223DF8CEB0B975B5C0102D20BEECAA1CBC21440514BAE8D6AFC48547F10A5BB407F94BBA83E64C635C9535CCFBA8CE9CB89BEC7C.exe2023-02-01 10:53:29.912 23542300x8000000000000000259318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.770{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\agent-config.ymlMD5=A6BF29C2E08DEC94ECFD97EE35F50276,SHA256=40F2F7E81C96FBCC08E1BFCCC7155304EBADEE919B83FE5285055F3743469467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.370{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\winhup.exeMD5=046813C6F8940465D0A0FF63E69625CF,SHA256=DFDAE5CF850B357E57AE432FC9FE2E928C41C1618FEA0FF7E3B095C08FFA4D11,IMPHASH=B588036B5202B7426CD84298C3DECC62truetrue 11241100x8000000000000000259316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localEXE2023-02-01 10:53:29.370{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\046813C6F8940465D0A0FF63E69625CFDFDAE5CF850B357E57AE432FC9FE2E928C41C1618FEA0FF7E3B095C08FFA4D11B588036B5202B7426CD84298C3DECC62.exe2023-02-01 10:53:29.370 23542300x8000000000000000259315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.351{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32ui.pydMD5=E9189503F8CD4DC3CDA51EE1C7DFF226,SHA256=4C4140943D5D61A54E2A8739A223AB2D94B8F4170979437DE14B07653EF1995A,IMPHASH=3D1A143CE99EDD70639FA0175493DAFBtruetrue 23542300x8000000000000000259314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.295{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32service.pydMD5=54BFE5B2DE320A4A33657B244D099305,SHA256=0EC84629826E02AB332D964BB79D8BEC3DC6AC2B0E4102CFFA7783C1DF1C539B,IMPHASH=1C2D29369D35FB9AD3B89FE06362D9A1truetrue 23542300x8000000000000000259313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.291{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32evtlog.pydMD5=5199673602B44BEC97C385CE1F05EF82,SHA256=EB66009B2DFD38077A444A07A2CB187EB0B577F505104C3D5365230D9F976841,IMPHASH=C19851BAB0A13AE81BBEC8020388D4C8truetrue 23542300x8000000000000000259312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.287{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32event.pydMD5=F5BEA70ABD9CEF4A71FFBDD558C18E80,SHA256=EFC83B9905ACC5095C33061D8EDF3FA366A28870C3FAD54486000B15EF890943,IMPHASH=5FB7FBC433303B661E47140CF25A7D06truetrue 23542300x8000000000000000259311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.282{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32com.shell.shell.pydMD5=1F3CF8BB9C1A3A48F104CEC3D384CDCB,SHA256=4A5E1C739E0EBF66E2D763B5CCAC9E533761114ECCEDE18E7711FD3DE46DEDEF,IMPHASH=7855DE64209A69DEEDFD445C17E50C6Btruetrue 23542300x8000000000000000259310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.270{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\win32api.pydMD5=FC7B3937AA735000EF549519425CE2C9,SHA256=A6949EAD059C6248969DA1007EA7807DCF69A4148C51EA3BC99C15EE0BC4D308,IMPHASH=8E96D8CF5673AF94EAD097162739DB96truetrue 23542300x8000000000000000259309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.262{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\unicodedata.pydMD5=4C8AF8A30813E9380F5F54309325D6B8,SHA256=4B6E3BA734C15EC789B5D7469A5097BD082BDFD8E55E636DED0D097CF6511E05,IMPHASH=0C1227EF9E5248D56560B944D04025CBtruetrue 23542300x8000000000000000259308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.244{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\servicemanager.pydMD5=FE6B76ADE7B0E4FDEB11086CC7953AFB,SHA256=5FDD054AE58C9FBD85405F1623A0A9BB14A0F798BAE4E2AC8268985A5A4015DC,IMPHASH=B80B56EAB34BD12806E5D413DC559D0Dtruetrue 23542300x8000000000000000259307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.241{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\select.pydMD5=C119811A40667DCA93DFE6FAA418F47A,SHA256=8F27CD8C5071CB740A2191B3C599E99595B121F461988166F07D9F841E7116B7,IMPHASH=812F037EFAEE65AA413CAF6A2EC4D7C9truetrue 23542300x8000000000000000259306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.239{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\pywintypes310.dllMD5=BD1EE0E25A364323FAA252EEE25081B5,SHA256=55969E688AD11361B22A5CFEE339645F243C3505D2963F0917AC05C91C2D6814,IMPHASH=EF98E964CDF77BBE8CDE3C189B89321Etruetrue 11241100x8000000000000000259305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:29.238{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BD1EE0E25A364323FAA252EEE25081B555969E688AD11361B22A5CFEE339645F243C3505D2963F0917AC05C91C2D6814EF98E964CDF77BBE8CDE3C189B89321E.dll2023-02-01 10:53:29.238 23542300x8000000000000000259304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.232{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\pythoncom310.dllMD5=020B1A47CE0B55AC69A023ED4B62E3F9,SHA256=863A72A5C93EEBAA223834BC6482E5465379A095A3A3B34B0AD44DC7B3666112,IMPHASH=6ACAC176B102267ABA64E5093F89A2F6truetrue 11241100x8000000000000000259303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:29.231{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\020B1A47CE0B55AC69A023ED4B62E3F9863A72A5C93EEBAA223834BC6482E5465379A095A3A3B34B0AD44DC7B36661126ACAC176B102267ABA64E5093F89A2F6.dll2023-02-01 10:53:29.231 23542300x8000000000000000259302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.205{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\python310.dllMD5=DEAF0C0CC3369363B800D2E8E756A402,SHA256=156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D,IMPHASH=1BA87C09C523D7DE2B8992A559808C95truetrue 11241100x8000000000000000259301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:29.201{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DEAF0C0CC3369363B800D2E8E756A402156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D1BA87C09C523D7DE2B8992A559808C95.dll2023-02-01 10:53:29.201 23542300x8000000000000000259300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.014{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\pyexpat.pydMD5=43E5A1470C298BA773AC9FCF5D99E8F9,SHA256=56984D43BE27422D31D8ECE87D0ABDA2C0662EA2FF22AF755E49E3462A5F8B65,IMPHASH=D56A60A7D9F8ED3A6A815934929C63B8truetrue 23542300x8000000000000000259299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.006{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\perfmon.pydMD5=58DBC98F53388244779562F2F47C63F5,SHA256=0625E3E3306D934B64FC0744D9444A4AB88EBF07B3D01DF48245C88D6A418E2C,IMPHASH=FFFD02D61FD6FD339897923518535A72truetrue 23542300x8000000000000000259298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.002{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Amazon\cfn-bootstrap\notice.txtMD5=B4DB8D0A4383EB7A140E0BEAC72C10FD,SHA256=4C1E8927D69CECE2EEDF12BB496CA2F75129411563224A320B294CC04EA49E9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000259297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.002{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\B4DB8D0A4383EB7A140E0BEAC72C10FD4C1E8927D69CECE2EEDF12BB496CA2F75129411563224A320B294CC04EA49E9A00000000000000000000000000000000.txt2023-02-01 10:53:29.001 10341000x8000000000000000111435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-44A9-63DA-6601-00000000BC02}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E05-63DA-0500-00000000BC02}412428C:\Windows\system32\csrss.exe{A4BA2B7C-44A9-63DA-6601-00000000BC02}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.743{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-44A9-63DA-6601-00000000BC02}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.744{A4BA2B7C-44A9-63DA-6601-00000000BC02}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:29.435{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BFCE8D0E162CF587BD2281A2679D87,SHA256=6BFC2218D79C3A13498D7EACADFFEAE7F135391D96F5EB31D8732AE146F9569C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.373{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.datMD5=35BA8F21055191FC52B5C4C9E4AC2D50,SHA256=2E7E0C2E101C61E59788DD94462D562524646C56ADE7A31D84DAC0F55D4C0DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.348{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\keywords.datMD5=6A7590C6FB0E1CA69CCB6D15DAC05918,SHA256=C0BC5AFFDE3FDF3E1C38F16E6FD3BECF56568DEB135C7B81A8617CCD1B09FC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.344{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\hash-iocs.datMD5=6BDCC5C8C187254CD536D48092FF0658,SHA256=01CF07AFB7D2954C101513F7698A04AA0922686955FA4FF7DF7B9AC60BE0A377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.339{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\filename-iocs.datMD5=19BA6E664228E83E7473C47AA48FB8E7,SHA256=571424F1CFF0B75E3BA03EE707BBFDA31A244C0C2E249101B63668FB65A9E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.338{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\falsepositive-hashes.datMD5=AD6AA02FD9AE71588E016F50C427C082,SHA256=37BF7DF7A4C487EAEC287AA0AD02206C734634828BA798350A15612296F93308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.336{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\iocs\c2-iocs.datMD5=284CC18FC7FF40A3A83B6A5B3ECBA377,SHA256=D2C67E76F44A8E9D5EDA6F789BEF3CF0E34A7D4A380676D89A48699B07E889E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:30.299{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3C50B1D26644F67D26AC5E1FA932CD,SHA256=44AC38C360DB3337BB6BE9BBF9FBFB75D44746E964887ED337554AB5D9B0BCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:30.850{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371761CD534BEC9914B59044D676A950,SHA256=F7CB7D57BC61CA30D29291E9740A1A7CD8D81E33845967531B9653B31BEFD4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:30.526{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C491D72BB7CABDA7770B08B203E0B3A,SHA256=565771104785CE788C6484E3C8B0E915679501C239700844E601EA8B521DD28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_hack_smbexec.ymlMD5=9529FFD5C88BDCD380D763CEA389CEB5,SHA256=05248AC800FAFF94F971AE3FC1F0F136BC1623F37E77BB9B25F6708D159D63F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_eventlog_cleared.ymlMD5=3C0CC7B1B7C138E4FCC7456150CE374F,SHA256=B5BF884B67F2F90EC21D1D48E69CE5F2F7DC15AFD8BF6F6DBC2A333DFEF16946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.994{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_defender_disabled.ymlMD5=C9B324EDEB7A12DBF202618298F270FF,SHA256=CDDDCB1C08E816661AFD31C3BEAB7BE12F9CDD62DB3A05F60C75210470154D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.993{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_cobaltstrike_service_installs.ymlMD5=057030BDF84196AEBB464A84779AFDBA,SHA256=44713FD73D69C96D3CC1E179DFB58A2A01CCE41AC64FD671C17E1716EA3327CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.992{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_apt_turla_service_png.ymlMD5=FC4F7ECAD928D952C1631801B94E8A17,SHA256=042F8CD1B63ACB92C4C1DBDE6FDA62C1352A124B3BA83BD4F4D4BEAD2A0DAA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.990{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_apt_stonedrill.ymlMD5=DF0DEFD03732ADDF3BF3BD6D929479FD,SHA256=0BE7F036B9CD17ADBD247C16A3EC4CF9D895D5D4FCAD47462B68D777712BC3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.989{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_apt_chafer_mar18_system.ymlMD5=16B581244E5DA5892CC7F1402926FC9E,SHA256=B0960A57C84BF4A9D163CB06FA57188200364170B2D50B5377541A27994AF255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.988{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_apt_carbonpaper_turla.ymlMD5=B444A2DE6315A62A1999F03E929F080E,SHA256=3EF8572F4F83E858A372FF05AE0E8FFAF476C9F5F54B3A1AA3683C0B57263098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.986{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_application_sysmon_crash.ymlMD5=150B573A26F5BC3A4ACE910D493A771F,SHA256=5FB872C6D632CF079AB515A28F20A6C9150AADB1E44ECA034B465775C3CDDD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.971{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\win_susp_failed_hidden_share_mount.ymlMD5=27AFE3CAC675318CDF02A8C8B60BC9A7,SHA256=DB41153E899FE25ABC6218FA7C7AAEDA6050069003DC881462F3D14B9F64D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.970{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\win_susp_failed_guest_logon.ymlMD5=DA582EF4E3BD3BA6D540158C741731C0,SHA256=5C664215FBC2B8DC7499DA922E0E07DD5D2A4E51501253FC224E1524D40AA219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.968{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\shell_core\win_shell_core_susp_packages_installed.ymlMD5=160CA09334473C63F368C9C6806BBF55,SHA256=5F9ED96CAD1EB77480D50DD30E8F07C13A7DA16283B3F9FEE5FC261071183D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.966{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\servicebus\win_hybridconnectionmgr_svc_running.ymlMD5=73532C224551B053C6E150DD17637876,SHA256=D503ACD922E3301F90C67B6C7EB976E361F3952CBEB373316B843D388E87512B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.964{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\win_security_mitigations_unsigned_dll_from_susp_location.ymlMD5=1F586D4055F4BB00AA35479B2B68DD58,SHA256=673E021D8C59ED3CFB7217C18094B1000B004147F7CB078DA6823AAC00A66242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.963{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\win_security_mitigations_defender_load_unsigned_dll.ymlMD5=C2EAFE218C241EA986FAA9F10C1E4D7D,SHA256=43A0EAC85EEC7653FA53843432D152D70A2C6831641FC371180278AB88BEEFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.960{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_workstation_was_locked.ymlMD5=2D052E9EA45E4617F7FEF8B1ACC1C078,SHA256=18B5BE01A6B5E5B55B97F98F72504867B4CE306B37F71BA5725CE07FC8133BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.958{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_wmiprvse_wbemcomn_dll_hijack.ymlMD5=C6329DCE5A9A2E61C5092781788D9EAC,SHA256=8D1AC6CAAC44B8C533C22FD0119D41BD4122C3F2597D9721D9914F3BD36354A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.956{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_wmi_persistence.ymlMD5=EBE62EEA012FD9A2102C827E50712D0B,SHA256=E23D83314D4391723CF4DE0B123D20C84241BCB76EC753E579D4972A744352B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.955{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_vssaudit_secevent_source_registration.ymlMD5=2A36558E2A0AD0F6A783962C8D9D513F,SHA256=B347ED6C979351AB6D2622FF5A3C95CCF2E19D9A2054CEC641303E66726407F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.953{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_user_logoff.ymlMD5=CB2FBE04CCAFCFC8065869714BA68F66,SHA256=9589606C7B93D8B5BF2CC2FEBB931FB433A11FB82E8BADA46D541C4F0EEF4327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.942{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_user_driver_loaded.ymlMD5=6C152CBA13DBCCBBED999F289DA71E6B,SHA256=B66B809FBA371DB6F94651A9838F551A2DCB49FC45525105FDD273203FD0B304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.940{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_user_creation.ymlMD5=84BDE71F79597CE9A69C0F9D43AEF2B4,SHA256=7E0AC0FB236645810294AA71900540AB474EA212C0A2C73E1811E1AA7AD7A5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.938{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.ymlMD5=EED9FF6CA7DF4E16BB2A79D7A0211B95,SHA256=AC0CBC667976E0DAED5A0A238F057518687215B66A78D386A9CC2D6988701EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.937{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_user_added_to_local_administrators.ymlMD5=3661A3AA5277A9877CFE7274C3A6DB2B,SHA256=29D4C8DA6605A961FD54E98CE5B7A2049F515BF449324B02FD9AA88393871546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.933{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_transf_files_with_cred_data_via_network_shares.ymlMD5=D3994FEE7D130BBF2AA878FC7428734F,SHA256=CDD0924F69881E326E5CDC5D96324B93E02ED9E04D0F69F53DCB5B3A95BD976A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.932{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_teams_suspicious_objectaccess.ymlMD5=B3F81AD9B88A26EEB422F2C8CDF8F27E,SHA256=FA3ABE34370E32D0BA25835BEB271A6083D8618A333254D7AB232B40B2C3672D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.930{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_tap_driver_installation.ymlMD5=5E9F7E68FC2F39D3BE86B86145B4C93F,SHA256=D9E7544DCD6E6946A680EDEC4A3FE7962519C9AB1DC2AF1689A99747344869E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.929{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_sysmon_channel_reference_deletion.ymlMD5=D8FB36B32D0E0AF0B78C149FBCC88AAB,SHA256=4E6C2F0F9AF187B2C7D8FF29AA36BDD4BAB9292FC4C9919CD728CF32F21CC0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.927{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_syskey_registry_access.ymlMD5=4216228D7075955BB7D7392A382C2145,SHA256=00E425F8620C5C7E3B7ED8B0C68945EA0CAF06D5D3C2FE46E705E6A4C5655C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.926{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_svcctl_remote_service.ymlMD5=8DBF5CAC59ADADD5C2B662513D47A8C6,SHA256=05E7EFAA84A8F624A2138DB0E4789CD512447B5D58BA6181EEED1F8B058E1E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.924{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_wmi_login.ymlMD5=4D3D31DF4BE1C8BAB4EC8C05ADBD8EF8,SHA256=EB88CCE79C99A0AFA23F142C9CC2D623C4021FB4605BCCA073D3EEE77BF1E2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.923{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_time_modification.ymlMD5=AE3FE14E350E97D3E53E29FF4EFBDFD5,SHA256=CC793D361270BF3BF7F9C0BEA1194A316F4B91D7F7E5636F0EB4CD92F4699C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.921{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_sdelete.ymlMD5=C99BAE802C97B2ED7BD612C79D0AE66F,SHA256=16948BFB7416E7762ECA18348986D88A71C11C1971DBAFEBAA5CB3B2E2269B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.919{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_scheduled_task_update.ymlMD5=781DBAE6F3C147A57F1429811CBADA7E,SHA256=00A6BBA34246EDC062CA814A4F655D0866FEB144D6E6E0995CC253095AC9EF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.917{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_scheduled_task_delete.ymlMD5=CB7916622BA5CBF4DE036894DDE61868,SHA256=00D8879CC78A8223A2EE81652310175CDD9924EF8F95088FA49C3F375AD35D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.915{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_scheduled_task_creation.ymlMD5=08B15CE2375F9535E4012614F3BDE7B0,SHA256=D6BA32AC411EBDCEA74B88D965F34E5391EA191CA85778B985084332E486E325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.914{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_samr_pwset.ymlMD5=3201FEE09EDE512F5A33839D8F93CCE4,SHA256=B1DB327DB99726EE9D291C5E797A66FA136F390BA192CEA9035765748317AB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_rottenpotato.ymlMD5=7C7729BFCF5A88C190A1BC5A5F5897E8,SHA256=828064F414C78C4B07E8CF2B234D17F45B618108EF717C54CB270B2C008C1892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.911{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_rc4_kerberos.ymlMD5=AD2F78DEACCC444B84D353F7EEFC6076,SHA256=EAE9463EC2F4ED1E1A8AE9F8AC3DCEB946B92E6B7814D7EEABC4C5A6DC0E4A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.909{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_raccess_sensitive_fext.ymlMD5=71D0616441879D4D501B8C75D1BDBE18,SHA256=321A6BAD76A129B2D4C493AD83802A1F7CE1924C2571D3830F1ADCF507D82047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.908{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_psexec.ymlMD5=825F05979419E3EE5E018A47F71438BE,SHA256=CAB2F9194A7ACBD9C9DD1FEF2223D902CC0923BF227EBC12450212289ECB5C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.906{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB10C07BB88D9E4C0B6D7B9FA7BBBFC,SHA256=784EEAAF1721508EC6E56F9628D35307EB8DFE8C253A85576B0C1090CB63D24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.906{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_possible_shadow_credentials_added.ymlMD5=1A4A3587AC5425C44A365CBE01C7C7BB,SHA256=9273DAA56E0A705001056D8DFCDA5E9E3204BB4DDFD2EF6A9F527271BD1FDB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.904{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_outbound_kerberos_connection.ymlMD5=5C6B1392DFC3EFF2EC2D3CE83175E5F8,SHA256=649494BD7A81ECB3BA1190A79BEEA1CF4F44E734AA365D347B0BCCBC4ADA0294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.902{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_opened_encrypted_zip_outlook.ymlMD5=595730B8D3FA97870EB5C6D8AE169AAC,SHA256=05099BA63926043035CDDDD29743423E8AE60BE57E6F6BF670CB5D9B9162C207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.901{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_opened_encrypted_zip_filename.ymlMD5=240F28AA64120893E50DECCD95C36759,SHA256=6FAA400370E970C5CE4B15092C84C5947C36B58A3B386F8BB4FDFC0A1656D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.899{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_opened_encrypted_zip.ymlMD5=34595F8C006B6ABA1973690C01450745,SHA256=7843067A915B6D23929B65CB0BCAC091D3E1A3684D05AE81BDE17316C94B91D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.897{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_net_recon_activity.ymlMD5=89C37B7E6A8FD28138FDFFF914EBD7D9,SHA256=D94E5C57B7CF6B918B5ECC0548AD383E8F45419787BF4B81B443DB43981E1215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.894{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_multiple_files_renamed_or_deleted.ymlMD5=E0B692B0C8BC64AB832DFE20B9CA011A,SHA256=6A716B99EDB23939C79C5BDFB77D8F7FED682A0AF73BE87662AC2E27FB5E1ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.891{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_lsass_dump_generic.ymlMD5=9D3227F79F9685AAE8C94D8982448F8A,SHA256=D4271869919F12148E1AB36ACE8FEC85FF2565692A9C7AF9713CC32D172CE02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.887{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_lsass_dump.ymlMD5=FF5603A00E5F8EF639FC9F5446666E66,SHA256=962013C46ED18D2533AC9F39A712F3B9A55C35049159A6275E99DE2C6447FD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.884{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_logon_newcredentials.ymlMD5=ECD971044533B2F2F499D20C6A63E543,SHA256=5E3F137B3C22F72879DDE4DE3A1EA5B3CB50CD4D29DDD0B3DD70DC259698DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.880{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_logon_explicit_credentials.ymlMD5=985C9CB1D08342D1A4EA2A7B8F26B4C2,SHA256=090F5118AE7A489A9DAD23199931FA4E551285B7A15D7A87E34F0B02529DF0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.879{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_local_anon_logon_created.ymlMD5=F5AB6BD71F15EA9C07C5725A34F5E73E,SHA256=33B760D0060CE6253BF53A076E5BC590381C964B28FAF991321D48A2FFF56980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.877{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_ldap_dataexchange.ymlMD5=FF1DA38D066632798F7EE91870EC7EB4,SHA256=3EAAD4D0CF35F2FF6728A984FC89D49EA9D05D4A83286AC314F385C957C50A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.875{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_krbrelayup.ymlMD5=4AC27E26B3AE7DAF81365057D31C095E,SHA256=203A9A17440F6B717DCB127143347007BA5D9094440FA355D7A64A0CD10223A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.873{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_kerberos_manipulation.ymlMD5=ACFD5AD70728FDB2CC6EC5E39EAC2B84,SHA256=F30766D50B0C0E670D14169483584716F74B0D0A472B9D3AC7D5CC02833ACB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.872{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_remote_logons_single_source.ymlMD5=6745BD6992469964D46DB9C307B20797,SHA256=C5EE2636BE7EE1685183973F69C130B8095C94924755219BC535B69134CE89F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.870{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source_ntlm2.ymlMD5=00F52D8E03E48952638B0DE8E13D7215,SHA256=494416C15FAAEE1E2FB4C1ED3894F5DF7A2153EFC16374CDC61335B79813C336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.869{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source_ntlm.ymlMD5=8ECEDCF33B82C8D881DE0849E4249A9B,SHA256=0DF6A827C3DB079089AB0324E0CA417E6569C850E293445BAD3CD780D0484E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.867{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source_kerberos3.ymlMD5=CE59E5F82F5DEE0B762F52A002392761,SHA256=00913B7C64A3A546A8321C88247D80482663B5E7D527B0BD0984D291F0A00FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.866{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source_kerberos2.ymlMD5=7653885120D50B54CD6A43752C48C691,SHA256=79457F918CB6232C3AB6548957F6A3C46900395C84505F76F0ADB6A1A591CF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.865{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source_kerberos.ymlMD5=230CE5292617B7A817C3D401B4AC5C99,SHA256=8CE6C97407085F8B14ABC4F6B073E0F18F3ADE3CE8BD6491C48996E0C8A5C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.863{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source2.ymlMD5=E8AA6F47ACE0727C7CCC3387FB059199,SHA256=8CA94A0977646A20B4D03801F2FA4BC46CC90B59C118F0BC6C9054D0F14E78BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.862{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_source.ymlMD5=D849EF69D9D209C9E9F8378DA59BFF79,SHA256=8577346094BEFE7CF130B2F63C77C8F1F2488F56598BEEDD8D32C9DC28F239F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.860{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_single_process.ymlMD5=DDF610175F4697AE604799FFD84C999E,SHA256=84219C862FE0BF5D7041C0A9DD8A28E75E818AECA732450C98FC3B1696BD9332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.859{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logons_explicit_credentials.ymlMD5=D999ADD46E2CE5C24C658BC8F035BF47,SHA256=471A3A333B2F473999E9303D16E9215D107F3ACA8A49C9AB6A806610B5E3A4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.857{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logon_source.ymlMD5=1F1DAC2E32FA757612D1A267BC428713,SHA256=9351095C597097ECAC9AF98480E3955C59E701C4CCC4DEFC6205BAC2A111D797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.855{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_failed_logon_reasons.ymlMD5=E2ED7F12D370F69756FABB9E26ACBB06,SHA256=DEFB311765CE74D81B91AB237D1F8AC696815F34A8457A9A8A49F954B0CEEDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.853{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_eventlog_cleared.ymlMD5=B2D9443D1D40264B86D27AC286A38956,SHA256=A2E5E057DE856CB536C71B670F4FC99F52BC351AAA3AA5EBC36B2129404BB61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.852{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_dsrm_password_change.ymlMD5=6569B520C764A926D6BCD57F644F9BD6,SHA256=4A1E50EDBBE6BFD6EADA11A319AB29EC68B740DA20DA42F0D62A83B41457C563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.851{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_computer_name.ymlMD5=6BDF15FD20F6B31AAD0542015E593DDE,SHA256=0C26FFEF0CE1973C1B185CB3028D10B410AFE25E8EDC12CD81ECDE7743C88B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.849{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_codeintegrity_check_failure.ymlMD5=868DF54D4F732C07771ED2805FCA8ACE,SHA256=F76338A60CF4F73DFD36A7166F74D71C7CDF96304E7A4EE6F60D2F6AEAC8FDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.848{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_add_sid_history.ymlMD5=410F2D58D4F1BAAAF52C6C79F8EE26DD,SHA256=4245939AB830A43F0A3C2EB52407AF584532C63D4ADC94729DFB1F66AAF5E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.846{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_susp_add_domain_trust.ymlMD5=BD877E1B02F5DEE833356BFB2E5B79D4,SHA256=731BA84CC7BF8B39A4603D14D50858C516AF17586A9DDFB3A74ED11809588206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.845{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_successful_external_remote_smb_login.ymlMD5=D13AFF7E332DDAEFB9269AF67ACE4459,SHA256=BFB2CF9CA5A83BBB5E5DF91CDDA82D328C92427CE1AA5C14EF3A72801F1CBF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.843{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_successful_external_remote_rdp_login.ymlMD5=F6D5F07F6E73BA30E1E7F1E9A464B812,SHA256=0DE41615EB99FE3682330F078FE4D6E919DCCBC7CE1C66A773AF3FBAA1D1E96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.842{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_smb_file_creation_admin_shares.ymlMD5=A4FA49F66C742700BD476DCE5E2B4F75,SHA256=423A585214925C114250A1B08471D352334BE4A52B1FFBD97AF46EA674E99EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.841{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_service_installation_by_unusal_client.ymlMD5=F20B20FD68FCFE648574E9821B0C2A93,SHA256=541F6ECFDD3925C20CC45B4997A5846E92F02A6A2C0F2FD5E0D455A056CA2E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.839{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_service_install_remote_access_software.ymlMD5=56B7BE955681BAF5F2AE7CB956AFA92A,SHA256=6DCFCB5FB4147B35BD77A2354CE518FF7BF5246039935C6FCCFDA8B3611ADE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.837{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_scrcons_remote_wmi_scripteventconsumer.ymlMD5=1D3ECDFA46C0F7443E702CFFDA05C85E,SHA256=CF3F3BE774330DA15949BE41219E44F767ACB2BB60F4C5386BB787C9270F38C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.836{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_scm_database_privileged_operation.ymlMD5=692E678895D6DE8D90F6134A50704571,SHA256=33021F3222BCE154235C13397B2CB7A88AF30A8C6A1BF0850290CC287F7850F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.835{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_scm_database_handle_failure.ymlMD5=3BBFC0BAC4A3CC555D81A7F88683E4E6,SHA256=1C1F9FF3763FB305B7274BB6A012A84F59A01B2DE0556E6CA539008877060884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.834{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_scheduled_task_deletion.ymlMD5=F2A1EBC73AA4464D0599F42B09199EAE,SHA256=2FDF6A41A37C559D9C2DEDF7D64136AE51ADBCE5E65E7A8E17E9E95CCFF70971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.832{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_samaccountname_spoofing_cve_2021_42287.ymlMD5=376E20195D4C3331D824EE6C403096C5,SHA256=C322269AD134830335E713463E6B6DD0FE1E9667978A592A883C6A2DF4F40084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.831{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_sam_registry_hive_handle_request.ymlMD5=2597E197F8A67DD1CA1001FBF36E898D,SHA256=15A6F2A82AC08111E09704DB3EEB71DFF5E1465517EF0B4FD79880CEC1936A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.829{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_replay_attack_detected.ymlMD5=D7EAEC57F7175B7F56A8F9ABB8E5989C,SHA256=9AE09BDFF82EC970EB389CC63506A0A315824EF9F8ABB6C96A6AFB48E8FF26AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.828{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_remote_powershell_session.ymlMD5=B6AE55B187EF5D19691DD5D59260FEED,SHA256=0BA455E755E0CA53A683B90F30BE7E199F2C3B06857CFA0BBE09317FA1AF928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.826{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_register_new_logon_process_by_rubeus.ymlMD5=E72175DB90440D598CE77993678476A7,SHA256=2B2B84EC96EA76AF8A5CC637399ADB545F0DFFD16CBE13F3FFCBFE5801FBAB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.826{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_rdp_reverse_tunnel.ymlMD5=3AFCDBC451CAE12FBFA8574AEAD1CF26,SHA256=47E50D43E86E75EB7DF2C1C71D5E56C5B77576CF53C57B0ECC66776E2BFF63ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.824{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_rdp_localhost_login.ymlMD5=208BAA11B236B492F07893B86C297505,SHA256=CC85B918090E9D25FB5C41690BFEE9B56F460D2FAA300B860D1F0425EA8B2B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.823{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_rdp_bluekeep_poc_scanner.ymlMD5=4674923664CC96D45341A5E39BB14CB1,SHA256=8B6B2C713AD2A85870390FDD2AD2AB595BE1BF68458C043B90CF9CF27168D807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.822{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_rare_schtasks_creations.ymlMD5=7AF807439766B664E4EF0198F5CE1DFD,SHA256=BD6E8690688836558EA6A600B9F314772B1B551545F56BAFE31FAD0D451175E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.820{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_protected_storage_service_access.ymlMD5=1AB6AB4DB354B8B74447E720A3FD98F0,SHA256=F6E51243D140913B35E0C67CF89A1F14BDF6326D2F05E9478A33D5E7A9C0695B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.819{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_powershell_script_installed_as_service.ymlMD5=093FD2CA7670B681B1705BD139E7EDD8,SHA256=F7EF6388E1EA8F7DF7AD179C60143C9B79A996965AFCE21AD4761E1EFC9419A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.816{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_possible_dc_shadow.ymlMD5=C0AD64E1A8F4C6ABF8EB3B3669DF7963,SHA256=5F7672BF68BD6628D5450B3EDBEA777C3F13593123E4850BAA39D1A94C54CC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.815{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_petitpotam_susp_tgt_request.ymlMD5=839D1EA3A36BA7B8CF41F1DF13C04835,SHA256=8ABA5A2D3E0083EE860B3B7AEFA046C5DE021768795C380D6472B7E51B74DB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.814{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_petitpotam_network_share.ymlMD5=357C426491493BF1A4CFE77EEC63DE01,SHA256=307DF6C60D4DA95CE2D98C797110BD33CA10A55599B4A14D7BC5D3FC3E291DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.813{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_pass_the_hash_2.ymlMD5=F60A5D366166E6BA2D6147A9429E766F,SHA256=479504971AC27F004517636106D91EF2486FF8FEB781DC0632AC0C361014D0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.812{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_overpass_the_hash.ymlMD5=2BF493E550877E56F24189A1BF84E48C,SHA256=2C74FEA457966672C6228B876ECC23D42D6B9C5FA0A3CB9994DFF551EF48AAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.810{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_not_allowed_rdp_access.ymlMD5=FCC92391A71092162CCCB81120524F20,SHA256=DDA192B4F118645A531D0B858918AC341D49471953DBD9BDBCF3765280BA53F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.809{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_new_or_renamed_user_account_with_dollar_sign.ymlMD5=3395E155A2E0F30059895F9BAFC52D4A,SHA256=1AA2618D7BC17FB826EDD773D11EBCBF900DF951DC13C0579C4D3B6DBCBCE3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.808{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_net_share_obj_susp_desktop_ini.ymlMD5=1EDCF5728724C5864668B6CBEB654CE8,SHA256=D104FEBB66C0AEC22550AF72FCB452E00D58B2CBD958184E0A98A641908F2FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.807{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_net_ntlm_downgrade.ymlMD5=D2E967326EB2CCA178DD14406B55073B,SHA256=587EDCF5136BF989E66917FA1688B3425490FC2579596E391D56137CD61D8F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.805{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_meterpreter_or_cobaltstrike_getsystem_service_install.ymlMD5=A64A09ACEDDE1878B20F3C87B2F3CC27,SHA256=A35DBF4235AB95A459E08527AFF9062740503685A771D38BD581EFC5643F4037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.804{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_metasploit_or_impacket_smb_psexec_service_install.ymlMD5=C219CC9CA256A12AD93D1E1962CBD213,SHA256=E739278FF35BEC4C67D64F431E26D98B3980FAED1341D39112A0B898E7DFA13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.803{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_metasploit_authentication.ymlMD5=B0784F9472A6ED1C9B5DADDFF68FE29E,SHA256=DF42C2FFC1F340FD9E8EFA77A063D9D55079EE6A6D601CD70D0C278A06527487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.802{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_mal_wceaux_dll.ymlMD5=FB7F5784442B693178CE5AB466BA4C1A,SHA256=34EE3F5D712CF6F54CA00FED143655151E87A074D2A7BC48AA1B6F003EED498E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.800{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_mal_service_installs.ymlMD5=FAEC227B6D0708B447177AF169AFF009,SHA256=ED1F4C527EC09D0FCEC0F54A45BA7BA3C8A9E94D02058507DA409A636C9D8FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.799{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_mal_creddumper.ymlMD5=1248B752E1723CD413BAF9A0F0169491,SHA256=5EA9E4679302C37351D5C6B15630692CE9F194D74326D8FD89FF3E83C5C619B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.798{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_lsass_access_non_system_account.ymlMD5=7698E60F1383AF99FD3A2DBC3075FA6E,SHA256=BBAC08BFB1B13210016F7CDB669A4B5F5C9682BB034B0B91F82131B6D02F8E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.796{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_lolbas_execution_of_nltest.ymlMD5=1CDDD644587473833D9F62F59E38AB6B,SHA256=A97FD208CC0A82E9A72041D6166D2336500C8C45E786B199EEA1AC6A63ABE1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.794{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_lm_namedpipe.ymlMD5=D0EE92726F92D0001EA43C4C9E509A60,SHA256=3057F0C28AA79E82514C3A8ACBC57487A015077D7D91824D488851834D95DCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.788{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_iso_mount.ymlMD5=202F9FD9447B50E0D8F1288371370C19,SHA256=7BB025DD730ED8023266C2A2B226E533E5CAC48AB31ADD43160705AB7F9A2052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.787{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_var_services_security.ymlMD5=DB991C3D66DEC86EC71AA05C8632631D,SHA256=B001809CA7F166F88FABE179C473EE3A69763805E16AECDB5DD527FCFBD8B5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.786{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_use_rundll32_services_security.ymlMD5=F09CA6CAD55F460BE1A955E6DB83AB2B,SHA256=C99C9DF435AF3FDF5AFAE105B21BB765506EA019B8661674D872C7420018FD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.784{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_use_mshta_services_security.ymlMD5=4CB4B1F8F9A0FCB53B09A0A18BB0EC4F,SHA256=5B7EF41391282888ECBEFF1F7FFDDA1A1D073644B1DB34BD7C619246A46A356E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.783{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_use_clip_services_security.ymlMD5=96BD9207ACD6C99C571FA849924D910C,SHA256=210D8B9A1FA4BCC13560F2B5E2105667297CE766BF55EC49ECCC778A9FD0D3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.782{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_stdin_services_security.ymlMD5=FA8B01EAA0A156AFE1EBA6DF7605E2DF,SHA256=1174A88BA66E3F66F5F53A938B548C8F41EA285FC20C26B81A1B13B738C1CFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.781{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_rundll_services_security.ymlMD5=CCEBB65F567A8AB161E32B327BBEB325,SHA256=71DF57F1605534F5DF4FB8FA43CBDE7D8BE4EB69F61484374CA936FCFF3805B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.780{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_via_compress_services_security.ymlMD5=506C9762049CB196FA3E32AEA34CDE81,SHA256=6D62628B469E36E48998433270D2F017CA4C82A36B82E37DFE8182EDB1AD7E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.778{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_var_services_security.ymlMD5=70EE144CE16BE29E5C82430DEBC5A282,SHA256=7B777EF27323F140262CEC1A6FA0FCBE4CCF58BB807E6180549EC6A88C882B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.777{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_stdin_services_security.ymlMD5=66CC7F5867C4F713AB536494CCE11CF2,SHA256=227A5157CF30FDC484B78EEEB838D9C83C85438025FF72516D1F7AD0B5656B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.776{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_obfuscated_iex_services_security.ymlMD5=8293529091D7F55F85457B5DB730DED2,SHA256=EF80AE8EE1FFF59DDBE7B54DCBD0D021D53C1B2F8F9B895407901530C884AE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.775{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_invoke_obfuscation_clip_services_security.ymlMD5=32EB867080612BF5C8A57DDD256F9A16,SHA256=6AFF9CC2633783F0B479E8DD453D7847BB66C4F5698B7A8B5AD92BBA2383D4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.774{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_impacket_secretdump.ymlMD5=2CC81194426A785203DEFC0F41E341D8,SHA256=8C7CE8BCFFFF203790D424BC3ECD7DD5202382395A14D80C5B7FA2E9A19B40B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.772{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_impacket_psexec.ymlMD5=327E02EB1897F46EA23DB4EDBC8F72E3,SHA256=F29A3A6D0F58B93D1EEA88E60F64FAB122EC768721C3FEE02EA8E4D2D6B0CA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.771{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_hybridconnectionmgr_svc_installation.ymlMD5=5A88B83382AF7A6085BD355CFE3D8A67,SHA256=05F5A82E08890539F9CCB1552E02DFAFA1BDFA0D7FDC8FA42640D45723792A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.769{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_hidden_user_creation.ymlMD5=133BBD51A28B457DE7CA3AA55BAA7300,SHA256=705ACDF5A9B113DC5A3DA05E2435F30C352550F5BCFB66FF69FBA7973C4B4C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.767{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_group_modification_logging.ymlMD5=995A17ABC601E734E9458439928655BC,SHA256=F93BC23038BDC9309AFC9082A11F50D901CC98EC6F00A6DA6A9D999776E221F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.764{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_gpo_scheduledtasks.ymlMD5=B781FA3ED4D3D369B030EDB9386F154B,SHA256=6617604EFF09D418CF9F542069DB3E29EDE9DF9C8690B8C196B8CFE3763B1056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.761{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_global_catalog_enumeration.ymlMD5=A8BD5CB5175C11C9882BC0C4A2DEEDEE,SHA256=F18909220AFCAD70A1080E56FAA85AABB0669273EE5C4C5DF761FF64909BA965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.759{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_external_device.ymlMD5=45766F94B962EAACA4911D32E36BAEF2,SHA256=AC74CF6587413A6F3B852707E4CDE371D990DE07980CA701832F78BBF10174CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.758{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_exploit_cve_2021_1675_printspooler_security.ymlMD5=A200DEDBA78E91B2E4B4BDD7A4E40BDF,SHA256=B6CB61661FF47B37AAD4F70459D5B27A8078227CC6D7DDE561DF37299EA0CFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.756{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_event_log_cleared.ymlMD5=4680BFC4D85FE621767DBD48254925A0,SHA256=23E963604CB49F1ABAA78A790E2D01CAB31035337108585D13E0BB4A446A249E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.754{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dpapi_domain_masterkey_backup_attempt.ymlMD5=C50C0830A38853D902EB31B372B91990,SHA256=9D4CEB23EF3C77DD3D16D8163AF334B07FA5E2855983E40E67C2B8B9C8AB172A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.748{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dpapi_domain_backupkey_extraction.ymlMD5=4FF4262C92BD2460C4FBB7D9BDB9C5B4,SHA256=C863708DEF34A72018CA703ADCFBCFB6E5B0C0D04B9D477993528731946B5BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.747{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dot_net_etw_tamper.ymlMD5=C0B60A96B0BB38B50C0852B534687960,SHA256=61EF873C460B043161C0F8E7F7B518EC70E9D44C184B593AB86646D031632111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.745{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_disable_event_logging.ymlMD5=1C148C740A660A2609071F6F5E48D518,SHA256=2670DA282E7CAE970FBC148900780FB44421A6EC46896016AA84E838B6E1D8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.743{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_diagtrack_eop_default_login_username.ymlMD5=2218999E405C790C456082258B406DD5,SHA256=6B107F31AB976431DAD62BC91404445D54A46B1BF0444023692D79D8A81BDA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.742{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_device_installation_blocked.ymlMD5=222A16F857EACD9F09100A1A83748641,SHA256=BD27B1D197FBB58B26C55D44263F9097C387341056B9B97BEFE763A4637DD896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.740{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_defender_bypass.ymlMD5=37074BC2A6F9B5CB89E53B3256A869D4,SHA256=0F970C19DA5A5ACC9D1045A533970191B38E1AC444185C6FB20B7A601F4B25A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.739{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dcsync.ymlMD5=594DDD6682E74C13A817B490D8941977,SHA256=3C80748BD71C0F17167897C8DF817FAC00D3AE95ECB1A33027161657D6BAF871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.738{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dcom_iertutil_dll_hijack.ymlMD5=9327EC5F9B8A7734FD90AFC86BD80343,SHA256=31B1D8F0A4EDF7E1EFA0D7961E8CDC40206E5F47D92FBE315A71222C4E7DCBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.736{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_dce_rpc_smb_spoolss_named_pipe.ymlMD5=D812293CC85305A5EB07A9743D1E2CB4,SHA256=1AB052F47093772ACF0E59FA0EC5A5929D95461389C528ACFE4115E9EF01A91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.735{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_cobaltstrike_service_installs.ymlMD5=5D6A358273A788198CE8EC79AC039E0C,SHA256=B1A5E8B5A318E81B0D3A045999F6FECCC453AE16F3C641CAA829C3C9DE172D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.733{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_camera_microphone_access.ymlMD5=4250D2201DD0F85FE3C8A38B9C35B215,SHA256=82BBD39E84728B6C65250FA2C64F5563016B152CAE386245450A7B0848525923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.731{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_atsvc_task.ymlMD5=B882AFB2E63315B66A4601B1E8D6FB20,SHA256=73A35BEDC5345F0C430804FB55FFB77874D6DED1F3F19FE401CFB7AB425BF928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.730{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_apt_wocao.ymlMD5=B55C396957EDD8FA9E60109A3A0D7472,SHA256=FF97A054B2584DC58D83218B11B4A3FCBBAAC356CCBCD4A52ED60D507A93BB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.729{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_apt_slingshot.ymlMD5=E0774253D6D2EF29A5D512B0F478B541,SHA256=AADC0F310CDBBA8D6D0253D3798AE1A861DB515FC1D34BA87DC6C5F97C829BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.727{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_apt_chafer_mar18_security.ymlMD5=51C541563EE091851F8CDD557F432909,SHA256=BB9D290AFD530EA992E4F48B8C259F64B0C09F175F2468B4021FA1703CCE6B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.726{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_alert_ruler.ymlMD5=8281ED847DF7B29F6D35F7F054D24A0D,SHA256=E6B5CEADC42042F648951F4EAB52983350242D8E525E451F516BF16DDF3D7F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.724{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_alert_enable_weak_encryption.ymlMD5=B47CDD006FBB5D7F6B7F367660CEFBCD,SHA256=0EB0E87D050F65A17C3A6F49654BF28267D487241F2E67A7336A63F8FC92B3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.721{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_alert_ad_user_backdoors.ymlMD5=C36A700A64A607A4AFB330BB4356B1CD,SHA256=56AFFB90C0B6A1C04DA5678759F14C62E2C28D680D86B0358CB7F5D910A5A2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.720{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_alert_active_directory_user_control.ymlMD5=B91A7DB78C49F99F3FD6CF36A71FA390,SHA256=63807C7C591C5B78DC0A4F1AF65C51DC82287B7DACEDF8A1149579B641F28F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.719{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_admin_share_access.ymlMD5=BFD019C19495A7283ED021678A529459,SHA256=1ED863988FCCE60DFAC6EE5A042610D925B196E735E920A07A0A9C6EF3CF7AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.718{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_admin_rdp_login.ymlMD5=1A5EFDB442E57E1D188EF7AEE56E8E2D,SHA256=39CEC2A2B31E174728FD519683CFB8E0CFF49ACAF731B4A6E714FD934D7D1187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.716{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_admin_logon.ymlMD5=6CBF478FE78772B69A675318E85587DC,SHA256=21684F3CF4E87E4241C4623DAD02566E52F8F65E794D8D4A7C63A2A1C4F664F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.715{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_add_remove_computer.ymlMD5=6E7BC33E9C98C064C9C2D327CDA88D6E,SHA256=D6F39AF26F6866BA594B1F8FFEFB774D673A2947F76408EEDB2B52407D513EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.714{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_adcs_certificate_template_configuration_vulnerability_eku.ymlMD5=38AAC4C041CDCB347EC8738256810277,SHA256=502DF75C701BE42B475B931B5933CE2D3FB49067961C4DBE309A50F54A4F43C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.712{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_adcs_certificate_template_configuration_vulnerability.ymlMD5=E8765EF41580155374E883CF74DCF13D,SHA256=1A15A93C3E440740AB444DD0096FC1B1D160BDA0C567854C945C01A4A4F3ED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.711{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_ad_user_enumeration.ymlMD5=DDD75440B9AD919CD71E649464006D1E,SHA256=028698ED50D8225B996488D959FB195B352A48C70197A7287404B2AEA2228BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.709{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_ad_replication_non_machine_account.ymlMD5=D80291A517DF1E359B9DF2C8DDE36EB1,SHA256=6B7AFD8ACD2FF9D3E2BB28F746E3EF241CD28B9992ABE7B7A32306C81FE38408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.707{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_ad_object_writedac_access.ymlMD5=06D7143D18174C56C669C5F27E52F390,SHA256=A9A0335DF0869467197B42540A06F729A42680D6C015ECBD2CD3B66A347890D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.706{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_account_discovery.ymlMD5=01893C74EF926C1F8762ADCFC20E805F,SHA256=B661A96D978CB4C7B55609E791D181EC77549095AF9CD5BAB66CB21CF1640CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.705{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_account_backdoor_dcsync_rights.ymlMD5=1EBBC91945B35228887E6754C8E38074,SHA256=B04E9FD9F2636F7F77D635B8264A04E84668C2F2288904A2E8FD157AF0627D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.703{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_access_token_abuse.ymlMD5=5A02EEA35211A334EBEE158DC016CBD1,SHA256=38CBB70B664E6487262A3A2C68181502A4F77BC6D73826F712374A315B8DC496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.702{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_aadhealth_svc_agent_regkey_access.ymlMD5=77143A83F35A6BB4A03D2A2240737757,SHA256=8F5D9FBBF761877C9CCC3B8DAB762E684A949282B0C806396F8261CA0EA3614F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.700{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\win_security_aadhealth_mon_agent_regkey_access.ymlMD5=73926DF86DD50AED7CE9711172F22E64,SHA256=B1A85D18DEFF70CAF74A39DF80BFE38D452AB56D6EC9B8EF9D5B59DDE810743E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.676{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\win_exploit_cve_2021_1675_printspooler_operational.ymlMD5=316409AC2DDD08A3687559B0407FE508,SHA256=822BC354A7C0AF92CE1B28F638D5BB5527781DC126FF84AFCAF1FC957D0DAE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\win_exploit_cve_2021_1675_printspooler.ymlMD5=919410F956BC5BC2F55AC6D5DAAE13AF,SHA256=74D3C0F833C55F5813FD2E979F3DE4353F004A5E9DCB535EC995E64B28B71209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.672{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\openssh\win_sshd_openssh_server_listening_on_socket.ymlMD5=B760D7D54F6F5AE6A805F7681966C7CA,SHA256=4BCEA487F0EEBA912BA14219CB492BBA34541A0697D18D3B89CEC1DFB5F710F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.670{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\win_susp_ntlm_rdp.ymlMD5=61D1F8E7B1EA554846FDE45CEF052E9E,SHA256=8196417E98D3915D3A9C8C82D7D803275CB9A7369D7039F17876A491F2C13269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.669{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\win_susp_ntlm_brute_force.ymlMD5=9CB840A5C0FFAD76C04121A41C38714F,SHA256=ACA5276AEFFE4792EF04E1D94EFB4B1468C5FFB7B4BFEB335C569ACD39872F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.667{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\win_susp_ntlm_auth.ymlMD5=9D34E0DF88958C4136C75350319AEE4A,SHA256=3C036B3629C1FD48F793AEE51DA42658EF59E6CCA70DB48DE27173CBC4D91D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.665{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_transportagent_failed.ymlMD5=2711F47E21C613159A07C8EB94281E23,SHA256=F7A7339444548CC32CAEFF919F35F940140B4F75255291A2932AC38EE0225DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.664{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_transportagent.ymlMD5=25EE55E30D65B4996C012D8FA0264054,SHA256=BD892D987F844E6BBCC82629E5F65360DC776D17480BA6C92413AB86C6DA453D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.662{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_set_oabvirtualdirectory_externalurl.ymlMD5=A1BD2D1C2869F442DB82F903AF19417A,SHA256=6370ADED83DB2CB1237AD75AA07C60FEC6FB27136F19717DDB72FFA3EC57E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.660{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_proxyshell_remove_mailbox_export.ymlMD5=B05C855615EE986B676ABCFD2E2E9B60,SHA256=C33974CD893033C0ABAF8395C50BE7EFD70F011400F14E592782FD4218FA2D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.658{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_proxyshell_mailbox_export.ymlMD5=8928F4C53EC1CB1AC03F5080884D1C68,SHA256=F15006C94ADD29034B04356A3A80611AF466AA19FDCE705FF0A0311C738B933D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.657{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_proxyshell_certificate_generation.ymlMD5=4C2BDD55AAC37F07BA13EDF608A41829,SHA256=4DF1BFDECDCE367DE3D350353C5E9293BBF00CA8DC38813A4EC44D8703803E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.655{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_proxylogon_oabvirtualdir.ymlMD5=917528EBF89610AEE76EF6FAC9069CD0,SHA256=4E60C7CF2C62FE93398CBFB65FAA4A995CC2E30433A502790E826371F800A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.654{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\win_exchange_cve_2021_42321.ymlMD5=559A708FD4CFC56DDE729B6999C835D0,SHA256=4710839F794F1BF746209A2381B426F1E78F598C4C564B0201C24AE8B5D324BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.651{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\lsa_server\win_lsa_server_normal_user_admin.ymlMD5=1FF8C33E977406E25B6317DFC571011C,SHA256=1FFDA8682CD355FEAE15E0BB1D83C73F17C254245EF130123380350E0E49D9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.649{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ldap\win_ldap_recon.ymlMD5=727E92FBB2262C90BBF452D8D247D54A,SHA256=BB5A50FAE64FD9755666158C2C8FD5107D586143467EB7709936C23A985B9E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.646{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_setting_change.ymlMD5=9F0B2AFDD2E7C252452C468A5FD219F4,SHA256=7DC84C1D25FD35D5C6C665E1E755B8E7B35DD6D5C5FBD4079B4F974C7B7CD56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.644{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_reset_config.ymlMD5=335DE24DAD6F585E660F12A109986698,SHA256=12DC6BE848A4FF565BCCBD11C18C6DFE6E53A6E19CC7B7D7FC6A0A4B76433541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.643{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_failed_load_gpo.ymlMD5=60DF675DE893FBF82B53B9BAE47F4C51,SHA256=5A9E666DA2A4685E410A3CC277C912B17A6DCBCE115B4916133E4593431E7B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.638{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_delete_rule.ymlMD5=1CB0726C8FA3339B2CD6C54EE52225CA,SHA256=E9726A3C1B2DE264EC0D7170207F259BA8835D474A1B67F3A4001FD5C4753774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.635{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_delete_all_rules.ymlMD5=1545C2C826E576FD4384F18F582C287E,SHA256=051DE50EF591181A25AB7B7394C0E8460EEDB9BA923137DE4251FD423C78B79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_change_rule.ymlMD5=6810B3446486203F4A6627A1761652BC,SHA256=6A1A829A986FE8323B2315C50A56FE75B1C74BD31AF76FEF7E30AD7A86F37A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.625{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\win_firewall_as_add_rule.ymlMD5=549087EDDBD8280769D35BB81BC2D98E,SHA256=DAE6A5A7226E77C3FE732EAFA4C74A78860E21550365651E3F3A2D960CD4AAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.621{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\driverframeworks\win_usb_device_plugged.ymlMD5=2414598D66D2573D491774DAAF2ACA0A,SHA256=3FF70C79A261C4129FF970F68BD690EACBAC29E2838B9A478AD85755BE15372B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.620{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server_analytic\win_dns_analytic_apt_gallium.ymlMD5=FFF2D8B41211E7D768E1340EC1F123F1,SHA256=7563F7721EA5C835350561F1F10B81241B31D84D5E4D21321BDE31F25C5670CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.618{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server\win_dns_server_susp_dns_config.ymlMD5=FBC9BF0B88C99CC5859967E16E07E286,SHA256=06450ACCA668FAF2140CC6800A73308DF5F715B431CDB95D153E686763E34CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.617{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_client\win_dns_client_ufile_io.ymlMD5=22B8BD99B70A4F8DF70BB616942E3238,SHA256=84497BBAE2B4C458D303E9C4D766A84B53B03078643263EB5C5CF39852328DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.615{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_client\win_dns_client_tor_onion.ymlMD5=00CFD66FC38F086949609FB31954EB79,SHA256=F12F174D1D36DD257CD7AB99FE5153ED54157CA07CB56D0CF8008F24E301D860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.614{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_client\win_dns_client_mega_nz.ymlMD5=49D37A4F827810BF4995B5FBDCD501BE,SHA256=2952ED8DCCEAD8C077D3C8A19354D4DFC33B90A6E1BE2D3A7C75526DD7853497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.613{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_client\win_dns_client_anonymfiles_com.ymlMD5=CB97691755C2F5D1014A817334EFFD81,SHA256=77EE34B5DC8C0E1777D6823E6A2E0B7A8A3CD5AC8893530C480AF9F78C4BB735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.611{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_client\win_dns_client__mal_cobaltstrike.ymlMD5=68854F2DA58025E34AC621948B84A6E9,SHA256=B34904458B618056BE62700C1CB349051AD8EE2129E45C8C28B32227146F15F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\diagnosis\scripted\win_diagnosis_scripted_load_remote_diagcab.ymlMD5=5005B6E615DD950523819CF1C826C919,SHA256=855977F652E55F5492166ECAF68F0B36146024F92E57B2B1E8AEB0F632309AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.607{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\win_codeintegrity_revoked_driver.ymlMD5=5BC82720F59189193C2B10EB1419A47E,SHA256=512B7E1EB4C4AE3EF82BFAC0FACDF9161CD5F90859487CFB32015CED2B18D23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.605{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\win_codeintegrity_blocked_driver_load.ymlMD5=E6144BD5EE1E23247BA60AD7D104B0FB,SHA256=BDB8C207A94F005E325890D8ABAA97D8680A071EB733ACCFF3CDF6451A8E5EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.604{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\win_codeintegrity_attempted_dll_load.ymlMD5=2F2D91DF1322A1B947456E39DF89C6FC,SHA256=7D23226D2CAD9EB4DDE86EA372C4DA66482A7454AF63DD6DB997886AE1840C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_uncommon_domain.ymlMD5=E50BD52C87972D861488724F25A5F3ED,SHA256=B508BE76A66BE563BD504513E546264ADF7C4E3A7E487E6A7042B0AF0445D951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.601{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_susp_use_bitsadmin.ymlMD5=E1FFEE01C8F4CB05B6A5EDF424F01549,SHA256=66932256F2A9AE5429BA822641BE9D0935927DB91B33624DCA5BA7D62AC08B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.599{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_susp_powershell_job.ymlMD5=8C583E4FA9CD837C9C3DBCF63B80093D,SHA256=0674F3817C957C031BBAA1AFEB9CACCE61A75D010BBF1D2F3A23BAEB44E15200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.598{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_susp_local_folder.ymlMD5=B94329C446B9816E6469AFC037FBE800,SHA256=AB5B419C86F36F1E11FC2C1A67531D977B3B6C7D676CA1FF30B084540F5E2476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.597{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_susp_local_file.ymlMD5=BBB52A314FB43DF5B5F21FA710FDE5FF,SHA256=C8C35AE1FF10C5B974B474F3AAF1A1297520C04FE35F34FA09EAD3CD4C29431F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.593{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_susp_domain.ymlMD5=AE7BFFA38D92E9CB6CB222AE1BD0F11F,SHA256=E1058C54C3836257CF9C6B7FAC56F0C575B6E3C9CC49D494C62786C0AC0E8259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.592{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\win_bits_client_direct_ip_access.ymlMD5=4C55FD395AD9B6EED2DDCB4D675A767F,SHA256=87A6CDD87C199014453D16110747FA8FC9DBBF4592D52CFA4755BE421CA3D77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.588{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxpackaging_om\win_appxpackaging_om_sups_appx_signature.ymlMD5=A4C4E0214C3992BD86756BBE4DD51A12,SHA256=27174CBF61405281D17D65D55053F67BF99F1FE7EFDC693324EFCADFF2813042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.585{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_uncommon_package_locations.ymlMD5=881CE79960EAF990EFB813B3E4478160,SHA256=263952DFEFC549DA3E41D1BF8D9201038F2AA880843BFA5D267918DFC7F0504A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.583{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_susp_package_locations.ymlMD5=F8E1B545332C60466F0364F2C27D5DF8,SHA256=EA02661488845DF5D6C5DFCCF98DEC1E059BC826244A2C1B42797EE8D8F01FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.582{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_susp_domains.ymlMD5=6BD3CA410131E8CC9DCCF256BE5640B4,SHA256=27F80BD7BF23BAEE23C44025F99D072D0259FD07DD0C7D544428E77C8E184347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.580{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_susp_appx_package_installation.ymlMD5=CC19C0C355123CFE99461B806070A722,SHA256=81E1593AFD8D400D9841DA856351FC330BA581CE58E62D9A0B51C4004F033BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.578{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_policy_block.ymlMD5=000771349F9471175777BE730C5052EE,SHA256=1D2D118AE41A29147D79FED85E4E54C905444F19BA2EB7FF41E822DCC646B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.576{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_mal_appx_names.ymlMD5=A29E1D6426F7D149B78577351668A9F9,SHA256=908DA2D991DBFD2F7F93557181DCB3894628E64396ACDA9B4AAAEA8F05474F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.574{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appxdeployment_server\win_appxdeployment_server_applocker_block.ymlMD5=C852AE4640A40833397EA4E684A7255C,SHA256=EE3C4CD81836BFEEB21E02FD0102BCCDDDE4A223ED40B9317AEA3F1908E5EC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.570{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\appmodel_runtime\win_appmodel_runtime_sysinternals_tools_appx_execution.ymlMD5=BBE7E62681D63275589180604A375CDF,SHA256=67D5AE80CC92C32A75AD31B3AA5498647D8E5E03D095F0EFCB41F7BC412FF2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.564{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\applocker\win_applocker_file_was_not_allowed_to_run.ymlMD5=E6A8294CE54A6A502A91D88EA3FDC693,SHA256=3014CEB0078B1198AE7AABE561708EA212334D7193F7BB4E920C0891DD5C2361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.559{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_werfault_susp_lsass_credential_dump.ymlMD5=1D156A95BA7A917C6DA5D180CA87176A,SHA256=8FFAB869AA93F653888CF1D6A930456939FF58C21FDE4FEE9BBE226260D4E386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.558{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_vul_cve_2021_41379.ymlMD5=E721B158A4BD48C941E12DBAE7D395DB,SHA256=174B455AB86EB470C57049C9086CCD22988B9B5C7E03642B901BC6B71B88DF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.557{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_vul_cve_2020_0688.ymlMD5=04ACB4E85B91701F9CFE165215C0E982,SHA256=10F3E75DB9656089A322E63C82E0CA179570F84E4DFF31BDD545DF1F50720EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.554{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_susp_msmpeng_crash.ymlMD5=48412FD232DF359A57EDBD6FD905605C,SHA256=61F37A8EB73FEF69A17650CE29A43E244D5836E49D4B3D8E6B4A20D76E1639EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.552{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_susp_backup_delete.ymlMD5=4043568C4B956FEDC94716451164EAF7,SHA256=E1A278CABD2D4D9A9120FF45785BF71CDF33CB098A2D4FE94E9850272E6947F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.551{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_software_restriction_policies_block.ymlMD5=C5B7F6014708F452EC01559622ABA559,SHA256=F4A91B0AF50BD483EFC2921A1441638046CD4FAC5723A6662FB586713F7FB290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.522{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_software_atera_rmm_agent_install.ymlMD5=7E05C91382BBAFC41E9B3090B504A1BA,SHA256=7995B8BA92B13B68279E4A713EC57863691F0A3F962D34ABD02576B4ABD7EDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.520{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_xp_cmdshell_change.ymlMD5=B72CC641A755697A8C06C8FB3366BCB7,SHA256=A53E8D92BE70B012E2A23C8B09A13E3F60A28E7A32E52078448744A286F4CB5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.519{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_xp_cmdshell_audit_log.ymlMD5=A22225B42DDBFD381BEE59DF1291D60C,SHA256=E383248336E37C07BAB97DFF2138214EEA69AD6EB8A64285AC1A933616978B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.503{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_sp_procoption_set.ymlMD5=5C5A8FF2A85C0EE6107E16943F1246DB,SHA256=C246B931DF761E00231C69277E801B4CF3E5DFF98537DEC3D8FF8948DE8461AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.494{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_sp_maggie.ymlMD5=920A5806C55CAE54286D4983C577380F,SHA256=3FE397D89A9C57C127F1ECB9FD0FD3F25416D38AE0905BBC796B43BA4D8A2625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.492{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_disable_audit_settings.ymlMD5=8E305E570424D5A19405CB49FAC0C162,SHA256=641326C3616AD0136466D6EFCE2BFC04D027100201D67A8D7EB27A57741930E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.491{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_mssql_add_sysadmin_account.ymlMD5=291C604BDEFF1F3044FEC3300D8EFCE2,SHA256=AD7F3B1EEB304790DCE39F458CD6B2B012EC61E3876F243AB34CBB00EBEAB65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.490{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_msi_install_from_web.ymlMD5=59E3503090EAC860D3C759C22FB08FF3,SHA256=6E27C804C821B83A77E2F53B33073EDB050B2792388D2BD8A83E032FA1AD9969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.489{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_msi_install_from_susp_locations.ymlMD5=06B2D8C6E37B172E0D0B5080CF7F284C,SHA256=953D58CEC8272AA9E46750676856A1089A2D890D17F29B46AC9E5C242AD9D5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.487{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_esent_ntdsutil_abuse_susp_location.ymlMD5=13772EE37D813F361B3CDD5D7DFB917E,SHA256=229EA7E820C5B5820B7AB222DA3584CB880A769C06043914A1498477721CF918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.486{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_esent_ntdsutil_abuse.ymlMD5=B096AFDBB423AB6698DFA77ECBEBECEA,SHA256=0BDDEA1E023CBDC93DC87EED5029F44B49A4A88DF17B27BA48986638AB75B51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.485{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_builtin_remove_application.ymlMD5=058486786D8EA2EEE65F00A96A5BD4B1,SHA256=A8E150D05D614FCC9B8CE589B91824B33E7D84A33E122145ABA129494779F322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.484{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_av_relevant_match.ymlMD5=766906EABD5F45C58B16342558AC9F78,SHA256=F6B6153CF650F0BF17EF021ED6125F73361D4DC380FC4CFF9FE3FA97BAF129DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.482{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\win_audit_cve.ymlMD5=99CC62F6D0A4DDABEC6865BE21CCA9ED,SHA256=A5FEB67E39CCF37C72840F7B24FF428484CDBB0719FAE9B51981F484484F0F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:31.099{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E46D84BCCD1D62853641EECFE6B95,SHA256=06334CCDE18D7F2FFEED7E74C49686762740F6B9E976AD14425E1E7484F6FB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:31.603{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B05CD67C52F0C35213A4259900EC3E,SHA256=D3C76D90FDF483E4B069EED694147E2ECF63052D061B8F1CF22B6E32F24E1AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.555{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_wsman_provider_image_load.ymlMD5=307FE959E063B1B95CC014526D18F9B4,SHA256=446F1E4B10B34D03CFC5A29B828AF625BF19F1476BA682B175CB10B3C3425C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.554{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_wmiprvse_wbemcomn_dll_hijack.ymlMD5=CFD5FE24618FF4EC19C62310C11373B3,SHA256=20239A1EE8AAA7891937B3F74EDF5957D6354DF9AE5566BE3D51A29F1F604A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.552{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_wmic_remote_xsl_scripting_dlls.ymlMD5=2FCC0B01E370D7DAC5F9F6A96E893CFF,SHA256=2EFDCA05293FF1828DCA5E9919FB5EE175D0C2AE334E870FDE7466A69F0B3310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.551{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_wmi_persistence_commandline_event_consumer.ymlMD5=336D25E0F7447A410DFF344A8FB42538,SHA256=5B14DF20878F7AEB6CA1DC5AEFCC4A390233F0584E8E1A576628CADEBB6BF3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.550{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_wmi_module_load.ymlMD5=173B7E89AE3ED410BC5D2AC98781507A,SHA256=2E0942EB799B814DF4E60916F5CCFFC31F30FE6EE0E2254A74F67E593F328867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.548{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_vmware_xfer_load_dll_from_nondefault_path.ymlMD5=C8A1BB7A96558CA8ECA6D4B5661EDA92,SHA256=480FC0582174E70E8A6359AB31B44FB9E305B1B64F9C8D38DB06B11ED3691DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.547{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_usp_svchost_clfsw32.ymlMD5=E41C8AF7CBE8411A2BA7922A185037F9,SHA256=2324062213F5FDE4A3B94A2AB23D653C89B74A8982CB5D05C843E312FC783606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.546{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_unsigned_image_loaded_into_lsass.ymlMD5=9CA578BF88B562EB8DE0F37C8BC61B2E,SHA256=351ADA065C8CE6D005446F2E287595AED298FD862C9940B7F0572DD88F71A07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.544{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_uipromptforcreds_dlls.ymlMD5=46A212DF6B9883E30E995B88489B2DB4,SHA256=D77821030D98B98687147E89AEAA2E628BBE19E2AD5CE96971E6457152F37AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.540{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_uac_bypass_via_dism.ymlMD5=B5371308570CDC610A4BAE22EB60CD7D,SHA256=34F1002A6B39EDF34B804A3C1759D339B7DCCF7A5141773B82BDC11F19FDF0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.539{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_uac_bypass_iscsicpl.ymlMD5=599C678396EBD3361562A70120127E33,SHA256=DBEBF94BA5C8A93361F6261973F2ED7FDC4DC5BC13984BAA049C2194932C2EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.537{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_tttracer_mod_load.ymlMD5=DD55F9A36A2B21C797FA68F27CE22081,SHA256=9E25622B5E96032870770F5205E78BD5E50ADE0914676691CB3B83039A2A122C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.536{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_sysmon_disable_sharpevtmute.ymlMD5=BA66D44D016D322F4736930E46600A24,SHA256=44D84F445747E7968DE92AA34503345AA47483E8FBC117B3B908FD498AEAF0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.535{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_svchost_dll_search_order_hijack.ymlMD5=44A4E5E97FD67CB2C59F8CCF4C4B1716,SHA256=D495A4992792B0024F5935B32FDF7F1D80A475181929E2EB01337813D356E985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.533{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_winword_vbadll_load.ymlMD5=3E77629CC24B3CB0451C99B3D3FEE0DC,SHA256=B030F390AC8E0A845A1D5601D1666743F4D00F5616434F13C7BF1DEDF39522AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.532{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_vss_ps_load.ymlMD5=D4486003FFA16E05509EBB86ED9E22C6,SHA256=C219325E645ECC9A6127325CA4B066A2C101A6374C04A4C5DAFA6867B7400A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.530{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_vss_dll_load.ymlMD5=400872C3FADB8A522A7F8D9FE28F518E,SHA256=2F2031B6543DE4DF61A64E9A241EED2A0C1BBE2D3A5A82F49DE13177785E0BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.529{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_uncommon_image_load.ymlMD5=709FA7C9D45B05B634CFCD39670146A9,SHA256=4E4D8263D8B438AE37164C9B17DB7D2CD0CB0AD98F13FC7D07B1B3A0EA67B91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.526{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_system_drawing_load.ymlMD5=D7FF603BD1DF91B8642B9BB530066ADC,SHA256=400CECE091C0D94D37853606323BDB690DE15D89C6BA51A0D2B555A0AB7D27B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.525{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_script_dotnet_clr_dll_load.ymlMD5=6D69D148496925EA4D407B92C048A851,SHA256=AEC877C97C76EB2AE8179B89C9B3516066BCACD430C263C540035F526BB18776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.523{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_python_image_load.ymlMD5=9AFF627123C4C17D48F0E360667968BD,SHA256=89F60C38A632FEEFC9E8CEE97A29AC14AFBF2DC7D6D9D779C7FBE8DEE200FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.521{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_office_kerberos_dll_load.ymlMD5=D22297FC87ED5798A16CA13ED5850913,SHA256=18E3992ED544FAE1453DAB095F77820D50A1027A5C806CE12A39D220D754FB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.518{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_office_dsparse_dll_load.ymlMD5=F4A762C65EC2574E155656D9B70EE1BA,SHA256=7B298E0D2D34E99F12074F27157F852DF748A486DFCD7DD5BC8812518369BB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.517{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_office_dotnet_gac_dll_load.ymlMD5=D1FF5247190C761A6D6FE5C1E112E967,SHA256=97F92EEBA04F858167FFCB66692871656B3B75C4E071A5D1D826955295DDC9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.516{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_office_dotnet_clr_dll_load.ymlMD5=DA0652C03B1A4E7637615BB33C47161B,SHA256=AA71DC982122808D6F748E1A66FC90E55F822899390E2BCCC64C6424AE5698ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.514{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_office_dotnet_assembly_dll_load.ymlMD5=C694578795F05A83A3507EE367C6002F,SHA256=74CD5AAFD2B5B3CF53DEB58E007DDF7F828061E51251B94FB4BBF8ED36177080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.513{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_fax_dll.ymlMD5=E8A4F033EB7366D9E35B5CAB69E7A609,SHA256=EE98319B37CC8FAEF1B84B8D3BCE844F7FCC412EB53EEA2D01D4586B61C19D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.511{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_dll_load_system_process.ymlMD5=17DE23E9AEA7D8BA041DD11D187EE619,SHA256=FF92AA08EF5687A73623369F1E44ABEC891E7123137E5E1BD26C22A1BB8EEAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.510{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_dbghelp_dbgcore_load.ymlMD5=F30029A2997EA9F64CC2AFDE156D7B92,SHA256=A7693B628BD1099A17DEAD118905C23C26550626B85D98C11E6BB18CDD353738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.509{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_cmstp.ymlMD5=D386E7FCA68BF16714259C7DB7FB0254,SHA256=F30543F99BF9C06503E47F0CF347135AD53B88B91A1C8A51BDFCA742A5E5EF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.506{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_susp_advapi32_dll.ymlMD5=EA34492949BD7CB7E27486D116D1511F,SHA256=97FA8366A967804EC90B108835D7C32520837A683625D5C9740C791CE83DCAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.505{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_spoolsv_dll_load.ymlMD5=CAB84450A5D99696C653BD5BECEFE85C,SHA256=2C65DE57EEE518120AA2C3C1449DBBFCE2460907C5B59D8944BB2B5371278378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_silenttrinity_stage_use.ymlMD5=3125CC3AC3B0996F7F9B5FF0519AA3B1,SHA256=F47B7623F5A12FD2F202313345D0A2B287111FB106DC7D054253E1A3CCC576DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.502{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_web_browsers.ymlMD5=2B31C3B6D91B7BDA6C95D924028EC535,SHA256=ED980C272E3F7963BE84DEA4DE9F8FD41B5304377F27C746D2B8F7D4EE2D313C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.501{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_vmguestlib.ymlMD5=E6CDF48B28078A097D277FE8FAC72CEA,SHA256=0BD5F6D2200BB0BE13FD61082D0034EAC21E746B3118F2CBB7D4FE5E9AEBB774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.500{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_third_party.ymlMD5=2FF0F2E0F22AEC24FF7BB3AE1C9184C9,SHA256=165978D71845C55ED728FF162041A36C30E2CE9B19743CCA0BF8E25F382EC0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.498{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_scm.ymlMD5=D850F1B53E3D7783DF237685EFC2C7B1,SHA256=2B1CCBD2686A0FE154DA3B1CCD709F978B36AAE33651DDAD2754AEA39F437D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.497{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_office_dlls.ymlMD5=65ECCB07F8E0F5DD45D2CA7159FF8996,SHA256=1544855C90D38A08E6F5726512E6AAF705D356F6BADA2DE81D47BDF9FCC50053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.496{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_non_existent_dlls.ymlMD5=0AA5C2DFEA606CD9F9861D3C0814CAA0,SHA256=47E6BEE73CC42E13E555CEB3DB17E40AF174A3DC7F3DCFA1A91B3B230DB1E38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.494{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_jsschhlp.ymlMD5=DE3486DAFC8234F4DBD12F85BF3BC507,SHA256=0A40E2AF28838DB9F0EF4379C8C34A5E2B54ED40366DAABA6A623CB595CCDF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.493{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_from_non_system_location.ymlMD5=E621089E3D05F25B78BB3C205523C713,SHA256=1F701A3CCAFBC4A3D815DEA82909213EE3131EFF1D301B75AB2D8F60F00068FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.492{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_dbghelp_dll.ymlMD5=FFBD9976773599C516E0E61B8CE4DB68,SHA256=910954E8F2DABA2C60E2623A7A2F8B9AC2CBA450BD70CC548F0DD42BB80139AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.490{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_dbgcore_dll.ymlMD5=822954431EE3B6474730DCF32CA013E9,SHA256=5001E0B3FFDC5E3106DDDF968F72C839988345214010106928EB03512D4D46B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.489{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_comctl32.ymlMD5=C78D26900254F51B6FC0EDDD2049E1EC,SHA256=CB5895CDC1B8CF95B1C85385135181FE9BB4C2CEE53D1722680FDE9DFF1F4877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.488{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_classicexplorer32.ymlMD5=E3415C39CA3724F4B739E5CFD3725ABF,SHA256=3211C65BF28312929AAF8B0DC92A4E54CA327D42E3C23C0D09533C9E4E40E50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.487{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_aruba_networks_virtual_intranet_access.ymlMD5=698909D55E0282EFD73617F27F210257,SHA256=DD893195F70F7F8EA5C4F1566F62A328F4CFA052D2281A68DDA4E58B2025958C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.486{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_side_load_antivirus.ymlMD5=A19431054879B69A6513D45CFA5020A6,SHA256=BA5AF846323C0880EBE33762291110E571BBCC8E2345D248D0A44B4A35EC903D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.484{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_scrcons_imageload_wmi_scripteventconsumer.ymlMD5=2712A4C75DD5A677ADF3AD6501F9AE14,SHA256=59635263F7C76887032727E6ACA81C244C63D99869934CD6B74F54737F34E5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.483{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_rundll32_loading_renamed_comsvcs.ymlMD5=4820342A10285236B89269807FAFB417,SHA256=2310C7032EF392ABFECFF7D0DAB30F8F9904A97DB8EF6C65973FF46D69975FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.482{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_pingback_backdoor.ymlMD5=C293FFBAC3B32B1C22BCE8BDED563DA7,SHA256=01CBD76D999A9B8EBEB5B1E5FD9608251FD2AB83AC8E140C21B26BA877F569B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.481{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_pcre_net_load.ymlMD5=B74D29AAE8AE9B83410DC0BF70553C08,SHA256=5E148C0441EBEFE28C73871687B35C355F6A25EB26772450FDAA2B568E60E6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.480{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_msdt_sdiageng.ymlMD5=088A95C1D1EB254416DD440CD43F4254,SHA256=3969C252D5963557225F4D9F778A335F32201AF125D729392E6068FD1F40FA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.478{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_mimikatz_inmemory_detection.ymlMD5=233AB5523088034728E30EBDD496CD42,SHA256=95662F8A24DE4E9A3DFF9349CA4491BD509886909F775A79CC5D82DFE46A816E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.477{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_lolbin_coregen.ymlMD5=BB04A485F7AF8460CC3F0DCBC1B0B53F,SHA256=B92417E880144E62C8537F21360C63E9DFAF29CC36D6DD507F0BD23BE0359593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.476{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_in_memory_powershell.ymlMD5=9034BBD0A9FEA055983220F6245A9C53,SHA256=E04D8CB6CC29BCE0BFAD95687E86CE6668D8690F5ACFDAD487D07D904113DA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.474{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_foggyweb_nobelium.ymlMD5=2F4FD2EFE9D6E8379ACA778641C171AC,SHA256=B250F28ECC69B1C0C658C2FBAB127285C35FDCA2D346D857A08C56AB0A5DAA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.473{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_defender_load_dll_from_nondefault_path.ymlMD5=0DC5ADA20909D32C02C81EE4A86DC885,SHA256=081F70490AA5C3BC95BCAFCAE462E2DA33F5C317591E52EF431C4783C7451DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.472{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_dcom_iertutil_dll_hijack.ymlMD5=2A304F60BA0800B3D89758E948AC10F7,SHA256=5E9869B0A346C08C09B39FB7EC16BD1993950872DB664694AE8FEEB80C95B383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.471{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_alternate_powershell_hosts_moduleload.ymlMD5=DF74F010DCFF0568BB54805D1D788D20,SHA256=DBAC656762239C0FCB76CC6EBC7575AF48E263A21AF01EE5A73C28C4EF5AD585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.469{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\image_load_abusing_azure_browser_sso.ymlMD5=A581D4F9F9290DD3A1C2CC20EC96C089,SHA256=3634F87F327A7C828F498586FE4F8AA7239DF52CF3106ABFB97603CC032A408D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.460{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_rename\file_rename_win_ransomware.ymlMD5=094B661103EAD3F531FC8EB6EA838EC0,SHA256=5F5D8DF8994B25DC7A7142C46021E6896843E78DE8EECF07E98608E4347B3F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.459{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_rename\file_rename_win_not_dll_to_dll.ymlMD5=2371D375D175C428195FB3E80B225FD5,SHA256=72902FA5165F80A70B7656B9A64371EE227853AEE63C391F7B81A075E3776FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.457{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_writing_local_admin_share.ymlMD5=4A1389765D9AE873B13980A0E73A851E,SHA256=A08F28C3630155CC7FF62C0AFF04871440A9504ABB5CEEF24E286EEE4F1F116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.455{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_wpbbin_persistence.ymlMD5=D97A9B48E8C856BD14A96A788931D45C,SHA256=F078A963759A352249C6F04B6E39B27F4B126D10B2B17DA318080FE176510878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.454{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_word_template_creation.ymlMD5=ECE6DE94FD867FC2B6FEA4DE6A68C6C5,SHA256=AE933986539C4FD7553B4A73F893041D702F8D1BD419337AC2F13538F03836B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.453{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_wmiprvse_wbemcomn_dll_hijack.ymlMD5=80A0A6DB18561CD40C6E2C0A1F07C50F,SHA256=25E8DB6B3A3B10BF0BE8285C94F88972CC1A1C8F89F0BED6BCCC5948AF808454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.452{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_wmiexec_default_filename.ymlMD5=508A6D5044FAE5746E53AAD361013BC2,SHA256=BAB6DE1223BFD1A3480B6C2E44B5F18E13E00A4090B847B4F43F306BEA360A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.450{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_wmi_persistence_script_event_consumer_write.ymlMD5=EAF6E620A0B0AC3A8C13B8BDB9955575,SHA256=DD0282A56CA62BCFE6BF2C288E4A93FCC59D7B2212043DD0490E5AC0F3364FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.449{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_winword_cve_2021_40444.ymlMD5=E82569F4065139C49A143F53753CA10C,SHA256=1DADA729FA6F2AE87E615E4948D3B25C06D25D14E55D19F55E2CBCC34F0DA263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.448{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_winrm_awl_bypass.ymlMD5=ECCBA3C133B64D335D219A1878CCEB76,SHA256=D8AD1067FCF85671F48F7BE8CB118CC6ECC412B19647C8713BA49CC9C7646273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.447{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_werfault_dll_hijacking.ymlMD5=B9B102D53B480CF9B144824C09E01E7C,SHA256=EE991A2CE84D499FE2767EF6B9DF7D4B3C9A68D4F5FC2B05D5A82834EA9C3DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.446{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_webshell_creation_detect.ymlMD5=C09455F19790C772CCE8BBF9A7D5CECC,SHA256=CEF5DA2D639C98BE851314C345A15899C84104CE7B31CB11FAEF7652BB393663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.444{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_wmp.ymlMD5=FA70ABB971255936059F51DB4552EB70,SHA256=3CE9F2D0C764CAF34B890E70BEF60A34DF3E0B39590F531BF3939707F4C109C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.443{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_winsat.ymlMD5=17C6E56387594AA1C05D8CD6CFB8C493,SHA256=3305ED06FDA5D61441C432C148BBD27F1912911AD361D952A4919650EDAFC119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.442{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_ntfs_reparse_point.ymlMD5=97982A45818BFCB2ADAF2D9354390AA6,SHA256=02094B91E42CF770352A33BC5AEE357FBC3004530433130E7E137F7DBB73E848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.440{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_msconfig_gui.ymlMD5=6E02B283A7962EA8B7D2AEAB79E0E322,SHA256=079A0F6B5AFC3FF251D357794DA1BA85080FD4A54B0777F565C65274C4FE9C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.439{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_ieinstal.ymlMD5=440F7D8D07AFA3074422A5AA7EEB0578,SHA256=389657DEBA778CCF2B42FFEC183A868073A6F028A7E2F6A0CD4FCC125FDA851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.437{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_idiagnostic_profile.ymlMD5=401861AC76971025614100ACEBE943F2,SHA256=D3540CE18C4D5756F19BBCD9550BDFF819B8A68128C959E1E9EF674F6E756D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.436{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_eventvwr.ymlMD5=B7966805C2920F98B59D910B2BACC952,SHA256=DE3D86D1B5642ADB3FEDFA91C942FE2DF1FF67C9F30F5EF7B8C8FB5C5098DD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.435{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_dotnet_profiler.ymlMD5=A55A31AA9437405F8A999D86C4917D3D,SHA256=7FD4099447FAFD5D70AAC3BD5DE038B3653A56493B6F10940541A3A8F4DBF9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.434{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_uac_bypass_consent_comctl32.ymlMD5=39C0F4DA108EEAC0148467F973A75D78,SHA256=EA192C2031B3CE79BC928324DF88A9DDEC28B48B6F447FCDCA4893E88B4142E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.432{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_tsclient_filewrite_startup.ymlMD5=881846F5A1A9B3314F3BFCE2F971B3F5,SHA256=3CFC62484ABF32D14DA93D08F0CBE18B4E91E2C0560B311A27D083D24BD568BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.431{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_tool_psexec.ymlMD5=02E855F4351EA000631B21C318A5D134,SHA256=454C9347950FE421E0A7091CAF13403C492F3A79C42173469DC553608795201A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.429{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_system32_local_folder_privilege_escalation.ymlMD5=310F188C0F8515D7194C17726755EE63,SHA256=B9D3CE364D47DB6ACD9AEDD287D1BD6A285E8D04F84024414B38E99084FBF249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.428{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_winword_startup.ymlMD5=0E64CA75743D28FD16A578AEA0F1B16E,SHA256=EE77F13E56350FB28ECADFC1EF6EC22CEE9609C2FB965D7F58FCD17823F68D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.427{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_vscode_powershell_profile.ymlMD5=1DAD07758A652EF10293B513B06CF265,SHA256=C4C02829AC402400DC5573341E1ADFB5BB21B4A2010705C8A7FC48BE3BCD00F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.426{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_teamviewer_remote_session.ymlMD5=52E00FBE695EF933ADF9A2717AD94FBE,SHA256=14D6443B9C73C9BD80DA3379FB49F13C87FD744B4FDF0A25A0C80705A2F1D4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.424{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_task_write.ymlMD5=53177F4B8EFE92DE65245C7F10AD705D,SHA256=2A9D167C8AA6736628667B69A2703B9D89D746A5A6128AE773A6E0193BAB1836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.423{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_system_interactive_powershell.ymlMD5=1A7EEDB753D381604614C9275F5C648B,SHA256=82F4B56C00946B85E808B13AFC37EAADFDD840723A090DF5DD9A96854C838E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.421{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_startup_folder_persistence.ymlMD5=C98CFBCD78E5B95C71550B9577C4C286,SHA256=1E9AD259104EAAE38E8A6B67DF4D0D94DE879019DE1FB4D08658209B1A19F6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.420{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_spool_drivers_color_drop.ymlMD5=44A25E1EA7FC6CAE5D7517DFBCAA7D8F,SHA256=3069568F9502391FF87470D9FA5FB592022496F4B8936EB02DE3C5BAC7260A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.419{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_procexplorer_driver_created_in_tmp_folder.ymlMD5=9932845AFAA1244A64EE3B89A04F5C98,SHA256=D06528D4A4B5BEC7547CB004D81F9AA3D5E01097D8C86EE637C64804519EB25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.417{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_powershell_profile.ymlMD5=FBE823638971DF15330870E0E35DDD67,SHA256=9CB323697830C5D70FDEFA15F74BA1491BB6C7474433CDE4BC15D52CF6EDBC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.416{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_pfx_file_creation.ymlMD5=5E7B2E9595D21728E35C3DD67B3AD581,SHA256=4C1D75BF085CD258A179A53C7C808E793CE54C28DE981218BDAE09D56560AB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.414{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_ntds_dit.ymlMD5=93CD7E2295BB4F75D41F8163562ED5E8,SHA256=80BB424875DF54B29613771335636A53E2C95E1251EDB2FC85106EB1416C57EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.412{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_lnk_double_extension.ymlMD5=9C8F1BD5B014125C3CA07F5EB17E62F5,SHA256=97FD94E72B7AA86C1FE3611DC952C8E3899016113D780665027198F5B4175E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.410{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_get_variable.ymlMD5=2FAF25BE629E991A4B620FDE043A9740,SHA256=973088C98EC0D0E916EEED06F333503CE74E884B5C9EB210303EE56D86054D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.409{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_executable_creation.ymlMD5=EAFE262B6C8AEE517B5E236F85A562DE,SHA256=0290B2B4EB52A7CFB71EAC3B271E9F2D06EC962F71975B5B9100DD931243C1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.407{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_exchange_aspx_write.ymlMD5=97F12EB46EFFA029348CC9532F5A1402,SHA256=ED78B2083435DB00DA750DA4A00E636ACD178A7237A46DD19DDBE9AB8BF86265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.406{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_dropper.ymlMD5=1C09C7DF453F540EAC4A070B51F88D80,SHA256=7F3953F3A43B00E373C297FA1F9045D797E91D5E88990DA04567E96AF4DB9D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.405{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_double_extension.ymlMD5=EE362011DE0AAEDA893DB7913A146257,SHA256=52E307A0726E50770ED7456CE67FF92AD526C08B8ECFA57830B82331B59268AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.403{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_diagcab.ymlMD5=68986588F059F21B48A79751ABCC1AF8,SHA256=CC38AC1A725EFDA54C33A20E58391EBA5DB63298B38744027B8AB117C7346CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.401{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_desktopimgdownldr_file.ymlMD5=EDF0145FCF022447FB21CAFA70695EFB,SHA256=ED2065E5B88EB2C378408F6EAAC88BFAA7C31F57D3152BBB1F202FE085030858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.400{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_desktop_txt.ymlMD5=D4A9E0F573AF9B2456911CDC393E0E36,SHA256=9B4A0749F844CDAAA0F70B7D0281068BD1B1D5B045D1167CC32A6D0F3587C068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.399{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_desktop_ini.ymlMD5=B6502ED28BCED1F7BB062EB0169C1C61,SHA256=FAABB48D6291470C4E294CE2833E45DD5DEA09233E29A652A492816927795B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.397{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_default_gpo_dir_write.ymlMD5=6259825166C43E95172E2996C9B0031B,SHA256=D1FA170A038063A723A827D0B526BB3FE7E5B08CF3AF28755609662AABDFE26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.396{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_creation_by_mobsync.ymlMD5=7E26E70043B072137A02D692FCF09F5E,SHA256=CB9E8875DB32E2298400DF859CE699FCAC815BC42C565D62DC28C8A571270FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.395{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_colorcpl.ymlMD5=D8B1697DCFEB8DF6D02AD69B0AE1CF0C,SHA256=66638462ED9BFFE53E82615A6A6219D4D1E754F0B427D92B3490CFB104C6CD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.393{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_susp_adsi_cache_usage.ymlMD5=82377F6B3D97EEF5667E4A596C516E39,SHA256=49503FC78E4DF73163FB0065967305E488FD30BFAAE6FF7D4068005796BA6F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.392{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_startup_folder_file_write.ymlMD5=7C5C2AB048E7AB8D2D9395DF18A0B87D,SHA256=72AF7DE57527D06FB172FD90CD1D4AECB60CF4B6CCAB7F6B9238D933E0482A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.391{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_shell_write_susp_files_extensions.ymlMD5=38357BE45D05433A38F63EDC4B760ED8,SHA256=200405F364B927E1C7A521AA0AC4C64E7A726560E0700770C4C8304F382B20E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.389{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_shell_write_susp_directory.ymlMD5=CB2E83D7F3BBA45EF27B51DB9AA0FA11,SHA256=B63EEEEB80981F95612B774ECB8763699C678A221FB1FB53593A2380E1C9A24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.388{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_script_creation_by_office_using_file_ext.ymlMD5=C727BE3884AC53EC0B94DFC51BFC46F1,SHA256=C73B4CD70949614A1B8AF79A913778E139EAC6C14D741EABE1C6FE3700FE65FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.386{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_screenconnect_artefact.ymlMD5=EAA34FF3144365497452321C913EE3BC,SHA256=3FA9C7ED7D8B1A286633F4B35AD24A0747CA7D528904FB2D6247F6CFA1CF55AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.385{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_sam_dump.ymlMD5=5DA5E080588393727BBC299D28492D55,SHA256=C50637BE884130D1D43CC89ABFECDAB99EE1504E20639FE49A097057E910D30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.383{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_ripzip_attack.ymlMD5=2BF33207F01F7A606E33990D05E0737D,SHA256=1984136658BE3C5196AE0E20852E8BB70BB8C8B263ABA807C023B2A14CE68F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.382{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_remote_cred_dump.ymlMD5=787DC29F9186614DF3AE7237E7158168,SHA256=5CB95720933C058E1177829159CEE27E97B987CED62CA5B26B4AFF82B268352E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.381{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_redmimicry_winnti_filedrop.ymlMD5=9C4B6530CF2A277005952162C05F4E5B,SHA256=9369280249B322786EBAE1AD81A25889E34E05E486F0D3135A030CBEAEFB3581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.379{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_rclone_exec_file.ymlMD5=76F76A25E4D0E69F998929E8689BE6B9,SHA256=5F14B1B33F275ACAA8A2DB2021BF276111317F15F51BEFC9A24952B134E4CC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.378{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_quarkspw_filedump.ymlMD5=1D26B4AC5F2CF61DF9761BC78C838409,SHA256=41B03D996C613D75641ED99448FC8D131B2EDDF380F350EE706E0FF9503CD5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.376{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_psexec_service_key.ymlMD5=8782344C665103A71C7524E50D01794E,SHA256=B03C0ACD73792854C40A7A815B48B3802E6B69204C7B3BD108F372A65F2F1B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.375{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_powershell_startup_shortcuts.ymlMD5=DF68BC17EA3D62A9A9B415B08BA55A95,SHA256=1842067184775BB62993E15DEDA0FB8F37C14FCBCE65D1FFDE2065ADC838D484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.374{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_powershell_exploit_scripts.ymlMD5=933A3EC98A818EC34525B1AD107A073A,SHA256=BF64FB8CEF8E00AB0EDC7B62B423AA1222E4782C4A0ADCF5CD79A4813DFF6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.372{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_pingback_backdoor.ymlMD5=EF41ED1E83A5D08579ECB6B76237C175,SHA256=2AB0BADAF671A3C059AF6C4E5112D32730C1FBAA660DB47E64FC22159D34E906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.371{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_pcre_net_temp_file.ymlMD5=59931395906D708D5F3703F5818EF668,SHA256=78C2335BD1CB4A078A2D781CDAA20C6CBFB4333970A3265C3936CFB9CCBC24BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.370{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_outlook_newform.ymlMD5=E63FC3F2669399D4C3685A43503A7CA6,SHA256=E4ACD26A0F05DA85429A81008CCDE3457ADAB9C5991182234AB7FF6A9AFB6948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.368{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_outlook_c2_macro_creation.ymlMD5=836F9095D065AF423F13E8FDD20F4ECB,SHA256=4D5AFEAE9F9B3B2A8EBF35ACC316544BB1E94E3EEB05C92D1C55DCC81289E7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.367{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_one_extension_files_in_susp_locations.ymlMD5=38B3B7F1449EF9CC848260CFB2A18D73,SHA256=4096E1B9563C6D62CEF2AAB55767D0CF6A1CA596DC3F2E330640E78E46186295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.366{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_office_persistence.ymlMD5=DB2B9BEAC1631A88B29B9028F277106D,SHA256=262F11CEE59C319DBDA91DFFA9E4324112B9B219DD760B86366E19C2C0C01F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.364{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_ntds_exfil_tools.ymlMD5=2A6E7AB06FA3AC61AC8D85ECA9CF4ACD,SHA256=098F315618C503BBB3419D07E129A846B58EB8E95DAA6627145392A183DC9BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.363{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_ntds_dit.ymlMD5=103939C66B7E1D831EA0E54C25390326,SHA256=E700C513FDBF841F0930DFB0D311EB9650BBD9DC795A6E64579E3663A520F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.361{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_notepad_plus_plus_persistence.ymlMD5=5F658296377445754541F4576D530DF4,SHA256=6B7916821966C7D695278ACE4E3143CF23C6053F629994B550945777141D21BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.360{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_new_src_file.ymlMD5=27A96C41DDA835E60F8DDF458A422E5F,SHA256=997B4EADF1C4D167E4C783915AC7561B0503CDAA9DC6B5B19D0E63A307BBE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.359{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_new_files_in_uncommon_appdata_folder.ymlMD5=E0054E906BC701C3D2753C5C634ED7EB,SHA256=49AE8B1A9E1818B2ACE756C6944F1CD315439269E5208F30C0A28513B4B21B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.357{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_net_cli_artefact.ymlMD5=5B08AA484E8B55E3AEE86FC2A1772001,SHA256=F92EDDE56B319034DB263719FA775E8AFA45F4CA810576ED1B9E22F1ED44738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.356{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_msdt_autorun.ymlMD5=71F4BE7147106FCF5935E30CDC6C9AE2,SHA256=81977122EEAB8B202CD4DC3864AC5C8672174C26244981E7CD3A449B8EB13EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.354{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_moriya_rootkit.ymlMD5=D50050E94A8ECAC48AB9237A24588FB8,SHA256=5B7A700A1535E032F137A77CC9DE598B3B4B7A610C219EFC8120102F59A975E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.353{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_mimikatz_memssp_log_file.ymlMD5=7DCC4BF391398637A3985528E11F3C50,SHA256=502FA99C02970FA2BBEFFBD1D5787CD6C8DDCF561AB582783B9FA7357C72A2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.352{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_mimikatz_kirbi_file_creation.ymlMD5=55FE0643BE2D4ADD84AAAE4B23A3AD20,SHA256=08451D48C41F0FABD8CCDAAECADFAE7F5901EE0EC287FAF6F828E5A31D207E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.350{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_mal_vhd_download.ymlMD5=FA928D9CAF63021F7CA12F8E2993C65C,SHA256=1375C93609F31C599A1DB1772FA09EAFB8C74928E4E0F79EE60ECEDFE960CE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.348{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_mal_octopus_scanner.ymlMD5=206BAB9015596EEFF4DEC8CCE8567EE9,SHA256=C55A140998CBFA3AE8865EC280BD69BDDCF9951533315F193F872482BC7DD3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.347{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_mal_adwind.ymlMD5=79321E47510F55C09EABAB58E8F435A2,SHA256=83E8CE729CC89572F2983F29234BBD9EC85E82DD36EB6EFEBB10A73F33CDD9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.346{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_macro_file.ymlMD5=F70D7F9BFB0CC37D8A6007C44879ED48,SHA256=17A87E1AD5A923DC61E48820AF0ABAEE5280B973E09F81A92184935E53CB19D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.344{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_lsass_werfault_dump.ymlMD5=7CBA0671F430181709F2B30EEE879980,SHA256=459C5710B5BB1CC8FE1141D734F5CCC5A330B6D12C21970FABB3F214D3CC2DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.342{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_lsass_shtinkering.ymlMD5=EBA115277B9526A9DBDBCE26622EA678,SHA256=C8F222C736D1AD5C86029987F13628239C47372D83D8E2FFAB385BEADDC49CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.340{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_lsass_memory_dump_file_creation.ymlMD5=7EB64C5549DABDF465A3ED69BEA5666A,SHA256=B9869CC8515C101E6EFC337533F97E1C0EC0A3B8F25EDEA5D55420A2E66240B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.337{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_legitimate_app_dropping_script.ymlMD5=69E37E446E71CA43FA392245ACBE895B,SHA256=BAFC52A9F09C37B8DAF733DDF9EEC956B385A767B0852644D75B406102720E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.336{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_legitimate_app_dropping_exe.ymlMD5=AF33C4E355D4BB7901D259068497AD97,SHA256=B550E0571AEA4EC591883052F5950AD1568D2E25616362663D9C58679A4DC552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.335{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_legitimate_app_dropping_archive.ymlMD5=8D4604502F80F0A52CC672CA3D691056,SHA256=59D93F9267627E63CBFF5FCE50E5EC85E3F7FD7F883E90C5E3828C49CC9CE760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.331{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_iso_file_recent.ymlMD5=934BD651BE0EC901993907111CFB6563,SHA256=D6CC9FE589330E1AAE961D6E4C37CD5D623E5BBDA403947AF1107B487E243299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:29.091{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000259751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.309{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_iso_file_mount.ymlMD5=EF798FAE076EE129EADB014D5E56BF34,SHA256=DFF0EF8CC373C8D120C542672A48F06C86BCCD15A75C100DC40CFA9FF66ACCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.307{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_iphlpapi_dll_sideloading.ymlMD5=C793721AEB9A7DB915DEBDF76597A6FE,SHA256=1D06BE78819A4D7FAD60AD019D6B002F6A40729906423215F318A19D6B7D1D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.306{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_inveigh_artefacts.ymlMD5=DB2827558C2302DAAC36E191C87B4202,SHA256=D0BC39F5B128DD3A3AA3013654AB3F6435A368191A7C643DE77D3ADEBCFC5284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.302{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_install_teamviewer_desktop.ymlMD5=0E0AEF967032427C5E9DAB10AF2ECA53,SHA256=E9D940A51FF25C81FE0D2A4AC5AF63D5D9C972C8E07AD6A871754173C3B87899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.299{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_initial_access_dll_search_order_hijacking.ymlMD5=7AD785FC46EF2F1355B88227D4DE210E,SHA256=A1E44A0F5634578788658348AAA08FBCE2D029271D1B2C31168865F6519B3033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.297{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_hktl_nppspy.ymlMD5=178224C3A5202C6DE90DA8FE38174BF2,SHA256=B5D101386BFBDE6AD68FC335100CDF56D501176CA50153FE38F55F0FCAB7747D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.296{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_hivenightmare_file_exports.ymlMD5=F4FC889BB1AC21364ADD4132D6A01F03,SHA256=2BD1CF0617E2FADDAB4C76FCF96D2A0525E2F17D7F5AA25DD04E82B652295533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.294{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_hack_dumpert.ymlMD5=0F991BF49F66871A7CF99CFBEE5D5E60,SHA256=486AAEE9272BC4856AE71F1B31106EFC71DEF60F8DAB6D34ABB2B254C581D807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.293{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_gotoopener_artefact.ymlMD5=F01E6713AA50B824379F90C02D83DB7B,SHA256=215BFAC4D8EBD97C1224B6231EFF233BD4F9682AB4B3D594987D8DDFBE2784CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.292{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_ghostpack_safetykatz.ymlMD5=079A7F6DE78C7AD2B3B39E817A25959F,SHA256=7252AE0A9FDD4F349A3BDB6117129042007A246925241E3F1D3B60E3ECC2E80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.290{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_exchange_webshell_drop_suspicious.ymlMD5=31F3B4776F836941F53954A7D15B35A1,SHA256=EC678820ADED11C6D86AA131E21FAFD55523FC6616F6F50327281406E9D60A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.289{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_exchange_webshell_drop.ymlMD5=05A4D7568A304FE99A30134F359A35F4,SHA256=F8FD49596950F33A2B2DA30F5F31995125C15264430937F7E75D293364DB8A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.288{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_error_handler_cmd_persistence.ymlMD5=7B457295895DE70B3E217F9D845F73EC,SHA256=3BAFCB1862D38020009525CC49DEE8BE3BAFE93EDD51DD3EFA0A50DC1E17F245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.287{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_dll_sideloading_space_path.ymlMD5=142854C2614C305A37EF5F06C90B4B3B,SHA256=A1F638DB254464BAAEA499BAABC97FAA309E282978C605F89FDB933E2121F661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.285{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_detect_powerup_dllhijacking.ymlMD5=BBF2E8A4F78B0BCAFF456EBD31A04B2F,SHA256=1766D9941F43E0081578B33776F4BF866E318BF04663F0454FE9741F41B56A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.284{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_dcom_iertutil_dll_hijack.ymlMD5=F440FF80E726CB2C017364AD7D5450A6,SHA256=A7DC769C7F26756D39B60C1763C63C57EAB85B07229BCD111319FF2AA159ADA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.283{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2022_24527_lpe.ymlMD5=82A9DD0326185C9A75C23AAED804DD06,SHA256=09B7711EC431D9E0F0F3DA029AB117AC7FE109BB044810F82121AED1B0DC2CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.281{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2021_44077_poc_default_files.ymlMD5=7D5407F3E79E8D2B15EEDF2BD699FDD0,SHA256=7DBD261AFBB348BF3400073F1A641DC945BAE26AAE34275D2B001187AF92C5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.280{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2021_41379_msi_lpe.ymlMD5=459C4303411E9A4E11DB94F9F07CE16F,SHA256=8A1ACD7EAA10F82E03236CEA4D5839FF722BF3F8A9D19D437594AA468AB38E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.279{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2021_31979_cve_2021_33771_exploits.ymlMD5=3D5C48C211900484B37E91C95E51BEF7,SHA256=4AFEA04D0D4A473AECA58CF7425434F0CB5C1DBDAF813D1F29A46639FC5EE9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.277{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2021_26858_msexchange.ymlMD5=1B00E09FBC135AD7EA45AA87A46022F6,SHA256=E73BB79582A7D583A9ED86646F27977B71127CADA5F3294C24F7AC706C5F187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.276{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cve_2021_1675_printspooler.ymlMD5=04EF258BA81650A28642585C59005ABB,SHA256=BE9805D031E483CF0E4DA24831EE3D00CFF5B7E31385C9AF3B574D50DE23A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.275{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_csharp_compile_artefact.ymlMD5=C644F5DA2FB787F259CCDAB436344B54,SHA256=662094E58363616D01D4576C67FF150B6AEC69DC0106950FE4F60B938D775388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.273{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cscript_wscript_dropper.ymlMD5=C99DC47DE8752B7CCA3D80E92972D74A,SHA256=468D03CBA5305F37B70B58AEB2D5A5F8881D65349B282024F179609708AED608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.272{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_cred_dump_tools_dropped_files.ymlMD5=9FE169DE0AF1F537708E8903BFE1FA19,SHA256=E00B9CDD4371A09890E0634DDBFE1D9C409DD390BF6268EF12E723235ED8FBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.271{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_creation_unquoted_service_path.ymlMD5=F95CEEBC729686410AB415F131B48187,SHA256=E5F49CFA169B3C0FD8A1ACADC628671978C9E78BF29267FB1FEAB062DE62A09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.270{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_creation_system_file.ymlMD5=3718901B48E959B64CC4F28B54C3427F,SHA256=EA56271C4982F0183C6E7A8AD212C58667D54CFFB240E59B143CD7A107289426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.268{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_creation_scr_binary_file.ymlMD5=56CCE8F61769EE39917902A119F966F2,SHA256=0DCA5CC81C588A832C540A367E28A3CFAB2865BA0E13D9D44BCE3D5CCAEB1D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.267{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_creation_new_shim_database.ymlMD5=FB1496613A4B27677236951E6794E45C,SHA256=D9612947353FBB673880D3A98C29B88E18B6F2BA11A2CD843161445DDB643E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.266{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_create_non_existent_dlls.ymlMD5=56EB0EB582E3251719ADDB25CB027FDE,SHA256=9456DDCD34796E6B1F6E3DFBF8D9BB168CE18F6046803872DF8067DE9691557A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.264{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_create_evtx_non_common_locations.ymlMD5=916D65370DC08DD2AB2C620CB466D5CA,SHA256=19C06632B8B4F0B91F7BF76E800B9E7CBDB1BC86E59ECDAE1037DF6A793D1CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.263{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_crackmapexec_patterns.ymlMD5=44179F9A09C2255B6E23BFFD99020A12,SHA256=38EFFAC830B55F01161D150118A0C6AA9A917A3EFD9E9BAE997D1A1F2A811CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.261{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_bloodhound_collection.ymlMD5=FC4D37F398E1C3FAB0650E424252F62C,SHA256=FA60B2BFE6CCB5F3BD97D9F3FCCAFE4F9471FC710F595E172AD4306D75DE75A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.259{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_apt_unidentified_nov_18.ymlMD5=E8A5CD324A55E83DF4A545BC32B59E65,SHA256=2AA121B5EC922C9ECE42CCC1BF52127A66A28A4E6BDE9AB7FE907B622179E681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.258{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_anydesk_writing_susp_binaries.ymlMD5=700D3C9865A565B6B619106AC5231A30,SHA256=F72B9D8B88E4FE2BF85A84CF3A422A9EC2D0C6511E6D0945901ACCE25D8CDE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.257{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_anydesk_artefact.ymlMD5=67CDFAEDDAB1E1AE1813FFF46E16728E,SHA256=398090AEA80F09A21290AE113164A444953660F9B2AEEC65C926C9549E1BDB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.256{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_advanced_ip_scanner.ymlMD5=4A0717AF7722E7897D737E84349F7675,SHA256=9C5E0CBF2B1A42F46E802858F8A3BEE2C2EC966DC7BE32D841B84CFAE810654C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.254{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_access_susp_unattend_xml.ymlMD5=0DDBF72C349E76F0EAF398377BFD8CB0,SHA256=1F4638BB76A585EB9C081FB24F6A0F80D1800B9E71353913D6E530CE06C211E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.253{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\file_event_win_access_susp_teams.ymlMD5=108E63139EB45BA7E1D759EAD5090047,SHA256=5308F72358F0D23FD62DE767379CD0A5A756CCD68F0E04DE9642FA934049D747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.233{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_webserver_access_logs_deleted.ymlMD5=C8D3670D5B21B385021C8B5D7A9F7B7D,SHA256=9558E7E09D8965536A9C7BE846CED151EF26FF9D13065D8E7FDEBDC67498F455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.232{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_unusual_deletion_by_dns_exe.ymlMD5=C89FBEBD826681985A85A62338B20CDD,SHA256=FD886F7FCDA5FE51FE57F7278BFA4055E14FAD0DF2C1B6835F9DB7AE65FC0310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.229{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_sysinternals_sdelete_file_deletion.ymlMD5=D0B5BA6585E6F7031244930B114083D8,SHA256=5AB2021BBE6095CC0D39218E5BAD7952B4818A62A61FCF92944F095F2C440F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.228{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_exchange_powershell_logs.ymlMD5=49D430FA4F0EF3397BBD137170E61DF4,SHA256=D82D4A8DE8DA0081DE99BBB3350247D72ADB33E11616DD4D98B263E66C5B62D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.227{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_delete_prefetch.ymlMD5=771FBD14F8EAD3777A2F439B6C02A047,SHA256=200DC6BE2DF9C40765342F9CCED4D31FF3E87AA270BE9E34F6E6A477D824C8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.225{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_delete_backup_file.ymlMD5=0E6F2BF718F4D39195137567FB88A0D4,SHA256=941F06E496DD733624855C4989FFDB5634FBCF6411C39FEAB35277118124A209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.224{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_delete_appli_log.ymlMD5=325B09ACB329DC6ECFB23E7B83E27C9E,SHA256=7BD4C0222E2E99D004267B3E7B77AD70AEF9A11E8356C2C20D8585C0582B64CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.223{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\file_delete_win_cve_2021_1675_printspooler_del.ymlMD5=DF2E5442BA1EA79288CEC3309DE1F0B2,SHA256=CDE788DF4D956CD48F95DF7ABE18FE7D79C59FC7C4A98E328802BA4026E4036E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.219{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_change\file_change_win_unusual_modification_by_dns_exe.ymlMD5=CC3F054A07CB52D11A3C378DA03239E7,SHA256=A409CF9EC8A5D0235B3977BF255642714CAE50003F32E59D34DF843B8F8E619C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.218{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_change\file_change_win_2022_timestomping.ymlMD5=80CD8892AC254BE185564875DC8B4E92,SHA256=55FC558C19AB0145724E4F134ABB693701E12397D48E879FC1EAE8D52B61C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.215{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\file_access_win_susp_cred_hist_access.ymlMD5=8FECEABD0893226457A66C91EB9159A7,SHA256=57D4E43E466C4522110D8BD23D27B03CC4AC1652EC1E48985508D265BA008D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.214{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\file_access_win_dpapi_master_key_access.ymlMD5=08EA1B145EA78071C7869ED1FE7013D0,SHA256=BD1326D24C61028E4019038C73E0523847FF8DBB84E85549CBB0C5CB8D0BBCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.212{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\file_access_win_credential_manager_stealing.ymlMD5=40EB91CD9AF828306BE5D27C6FEE934C,SHA256=C44C48943319E0F41CADE398C33DB901E26E8E4C855580E00262B526F5E6F178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.211{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\file_access_win_browser_credential_stealing.ymlMD5=6CEC919C394CF74F7AC3D247EE2D9011,SHA256=104E33298A91AE1EBE4282345CA71894C95A6056B81BF358FE33D5F2AB522EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.190{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_windivert.ymlMD5=1D664C6F1B0B6792D2B353B932712FAF,SHA256=186872BA2E234149E416BD79E9D7F960AD6B79A54FC8F97114F2CB6E5B00D844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.188{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_winring0_driver.ymlMD5=02ACD3B39880C746C0895DAF63674DE8,SHA256=9254933B2C76781117128180327B0499B5DEE9B94E70247AA06B2DAABEBF76F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.187{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_lenovo_driver.ymlMD5=7CBB3276B90A541BB56F9C0A5C06B48A,SHA256=4A07F1C8ADE9840FD5490180FEED9E1DADEF6B8CF0DACF0938EE97B3E5EFDADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.186{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_hw_driver.ymlMD5=ADCDFEA4DF1AA6ADA09C58E83C742EC4,SHA256=CD34DC959D0B4DA1AA1173955D47B6FE96104288BF3B018985135A0A9404B7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.185{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_hevd_driver.ymlMD5=5C60BA1D3F0D0F0A9F9EF83BEFE472C3,SHA256=E2AAF8094F74A3A885289A6D312B78188DDABC85D39BA3B8119D7EA4DADF792A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.183{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_gigabyte_driver.ymlMD5=09A8605228875BC13DC6F6016A141817,SHA256=1353B740631324035B2CBE36B4A5BE5636AF18B065445C4DD469FD23DE077175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.182{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_drivers_names.ymlMD5=F6DC35E180E2D1AE145E15C0960D8005,SHA256=E5358052891153B58C5A7D556B9F39FF44D9FFB77CCC7E3A0FB07D8D92DD2FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.180{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_drivers.ymlMD5=B3D83B8276167242938DE6CAC3507498,SHA256=08F179930FC4C26D258314273830668978778FB2A89EE4619D1511103FCD1D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.177{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_dell_driver.ymlMD5=6F4912B577F648AFCC9463A8C4AD9DAE,SHA256=278887B302641644CFB66B3A96DD68004EA4E03BF5A37FDE1B323F5E6FB627ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.176{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_vuln_avast_anti_rootkit_driver.ymlMD5=7B82EE66AE43E35BB417336AA8F164D1,SHA256=0E7D724B2857D7080CDFA30F4AF05EEFFFD9B26CE822288579E9B62AE22ACF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.174{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_susp_temp_use.ymlMD5=A9663E34F3FB18D27DA4C458FADF55B4,SHA256=29C071BE69AB3D83FEF6BAA3728A09752915A11249A2F0D2FC4AFC6A4DF2C70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.173{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_process_hacker.ymlMD5=F6651989C095B4F5DD3CE5CE76052B60,SHA256=25869CD0A2EBCB82E029C79E0814503D69BA6B6F13FC9138F6FED4C1CFD307E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.172{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_powershell_script_installed_as_service.ymlMD5=9F99066BA8A41A237612EDA0ADE90CED,SHA256=07C87EAB2B09D4702E947CB774DD17DCD7DE9F65792D1793BD4ACD3DCA559086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.171{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_mal_poortry_driver.ymlMD5=C651E5101F597DFFD67664A285D6C853,SHA256=9539746B4FBAD08743C4B5C35E3BD716BA8C03C71E78CDA7E111317EE27FAF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.169{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\driver_load_win_mal_creddumper.ymlMD5=2999021D0D91DA0EBA8B615B97AFEBDF,SHA256=F7447456909B61F99E63BB2E05AED28E25597D780AA0328036437977EE83783E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.166{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_ufile_io.ymlMD5=ACA2ACEBA0666F0B5108EB806347872E,SHA256=DD8DABF27620423413558D1E4541321A536B25C6BE7DAF0479EF22893E13E02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.164{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_tor_onion.ymlMD5=27EDCEB6CDF208AC414966E4FA97A10B,SHA256=5D382B14D93569CEC4A20D9F59D88665AFEDB128316E58063EF7E92C98E804C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.163{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_susp_teamviewer.ymlMD5=0DBAD535BDA77D3C57BD02235E5EDC39,SHA256=DC2234500C3EE083C869EBD69B82FD9A40909C1111EE3046E3DA25D45C43BBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.162{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_susp_ldap.ymlMD5=ECDCB8982FA3D4BA37D97DD253A63433,SHA256=038E0F323507A61490DF1E64B295386FB6381ACDB477E5CF21779C32763DF959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.161{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_susp_ipify.ymlMD5=C56A642B4A68462C6F8F551C8D39C105,SHA256=FDAFBF86EF536E682514BF60B308C3E3349C84A6C3086F7B60735240CE12387D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.159{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_remote_access_software_domains.ymlMD5=66AB6D437549A795F91E17709B9DC841,SHA256=13601BE216246079130679F56EC7B66E535FEF99E757F3BEEA78AB9031C67179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.158{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_regsvr32_network_activity.ymlMD5=DD1FA0FB0AFB6C84DF5D5F8A96C8BA81,SHA256=68960B83ABE7F52E5CAD38F8F4708ACA30EB48E0EB36087E4EA8BF1EE19C619C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.157{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_possible_dns_rebinding.ymlMD5=CE7CD35B87B288FD4377609CAF986AF4,SHA256=418645E3AFF331DF6AE59C24047D18BBBCD75012DDDA12A074B995BF6651A76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.155{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_mega_nz.ymlMD5=A23F3F158F48149BD87E4D666C87C501,SHA256=8CD90246BE03EEAC177478097CAB8523BD3DB9DE50DC2C8379CCB9EDED60DA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.154{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_mal_cobaltstrike.ymlMD5=FBB4F79D9DBC7D486777DBD14D0DD410,SHA256=448A9112A24395CF670ECB0E4E97E5436D2867043B9117B7C29508115590FBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.152{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_lolbin_appinstaller.ymlMD5=0C234F05B1F946C15CB9C5DBB27DA8A4,SHA256=37FD856FC7CD8FA0FE8ECB94A12B2134C6EA16D98BD3724678743CF61F25D4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.151{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_hybridconnectionmgr_servicebus.ymlMD5=9757E7D0F1F1360AEF0E4F5021B7F51C,SHA256=61A2013FB0A373525D7E479F0D5B48C3E36B6C34E1AFCDC55915F0A168331C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.150{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\dns_query_win_anonymfiles_com.ymlMD5=91F8642FEACD598955926C30867AC17E,SHA256=D2F9D8487B1D2BDC474F71FE22EBFC92E8BCE3B81077BE66F5D5FDA38809CC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.146{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_susp_ip_domains.ymlMD5=7A56BA5F0C4B40DAE52803D7A4BCAFA5,SHA256=482439A8EB70D4BC2AC45CA627399414629A46ADE46A7429D1781A2F3BD42191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.145{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_susp_domain_ext_combo_med.ymlMD5=F760D4C893B01E5142263C15BD118C1F,SHA256=271A306F50AC5D914DA1AAA259F4F19E39CE8837504169A6E7DF88D6B532AAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.144{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_susp_domain_ext_combo.ymlMD5=143534930E84F360054839D9459827F4,SHA256=4615ADFF5A5DA4A714D860C3F676E3C849B3978DA60F26392EDCCBE51747B4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.142{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_regedit_export_to_ads.ymlMD5=38A5A458208DE22582F7F1D19A64D8C5,SHA256=A9AAC526BE7865D97ACD90CEA5CEB3B74BFC824AFF9815DAA1ACF7E4530A1507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.141{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_hacktool_download.ymlMD5=E8AFDC98734D535C04CFB8B53320F73F,SHA256=0019536CD539C00AAC614570EEFE40F08E17C77CA37ECB7F8BAC63DD9BD252E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.139{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_creation_internet_file.ymlMD5=A5427D0326587D3DF80A7563801F7F05,SHA256=34E505D17A07734A021F0E151720CC3DC4D16EA0B5001C702B1F2FDF62B0FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.138{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\create_stream_hash_ads_executable.ymlMD5=A67DB998E0D2EC2AC64B28698C3E60F9,SHA256=1A4517268E046D99C7CD11C00DF0451C75551F0CE4800860F696AB0781CBB235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.135{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_winapi_in_powershell_credentials_dumping.ymlMD5=85A92925DF5027872DC3979089974620,SHA256=7B7E34A68AB03D963DF7FAAB6A4817E5D9769B280C1D82F7D1254355061A3F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.134{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_ttdinjec.ymlMD5=DD31F8E84B1DCD2D507404B4C18C3A10,SHA256=9169D7BDB1CE73B7A63608D386D00C03607E99ADFC394D2C06AEA286857F4868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.130{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_susp_targets.ymlMD5=7C257E54DA801D872DE30D72FA7CD762,SHA256=8C64F7A7DFF9D0BEB8B7E52551ECBB050247379982FC0841A684E98D0EA5EC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.129{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_susp_remote_thread_target.ymlMD5=0510B620E9443BCFE1EBEF71ADF15758,SHA256=630BC3973FAA9EF1F77A79F44272C6865ECC304CB529C297445813B5770C0EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.128{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_susp_remote_thread_source.ymlMD5=92C84E61D584897FF4DF63D2093286AA,SHA256=0F1DCBEED5AB0221BF4EA1F9EE2E67780B438D79A46435E9D16ACE043F945BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.126{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_susp_powershell_rundll32.ymlMD5=41B6DA4536744D4FC088AB48A21C8940,SHA256=71465ECE818230449B4D59DD450222AF1580D9729091F0356740A6EFC5CE3C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.125{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_powershell_code_injection.ymlMD5=58EF4B0BE9DF597BE822BC2F8F94856F,SHA256=7124A4FD906DC454B5A1764442DAEDBC19C0CA7EBB7C1B396C66705D2A29D4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.124{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_password_dumper_lsass.ymlMD5=8913677978132835FEF025EBA24B1C5C,SHA256=C04DFAA2505463A1258D9FDAB5D591BC28FDD6B986A034F4A9000592AAABC05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.122{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_password_dumper_keepass.ymlMD5=BC5DA5DF5425F25CF3AFFA6674D3CE9D,SHA256=BDE9E7541DE297410E7BB95A2AEECA06D6603A7681C3FDAECBC2D7A1DDEB7C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.121{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_loadlibrary.ymlMD5=7213093C659683033E7B803A233EEF8B,SHA256=73E6CC4FFF3CC0850CDD38224D90A8ECFE3ED8E130801C71680439819B0E3169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.120{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_cobaltstrike_process_injection.ymlMD5=0CDA074FEACAD79B6F8BA49632C32825,SHA256=2D37E98C9B3327B5A29CA3E9C2322C606629F71346A1BB0592402549B132B942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.118{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_cactustorch.ymlMD5=54FFD47EA9643EE7658374F93304749F,SHA256=A8F204D544042A514AC658DEDC0F67274EB5D15C6950A7C6CD37DDD076CBBC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.116{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\create_remote_thread_win_bumblebee.ymlMD5=B8AABFCFD349B53D97CE4D0C0B139D28,SHA256=9167AD20DF6266911DF6BB5DF0D0BE11EDFBBF4FBE4CF830D543F993AC9779C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.113{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\wmi\win_wmi_persistence.ymlMD5=F2EEE46B7D8A468722097C7FA0469544,SHA256=EE380EBCA6982CAEB86EC3250E20694EAFADE0C064E65DAACAB22881C094DE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.111{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_threat.ymlMD5=21282BD485F174EFF0FB96A8A249C347,SHA256=25BDAF51D56E86579F7B123CF909482F35B078B335CAC4E79153CCEBB5A0AB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.109{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_tamper_protection_trigger.ymlMD5=D956AF605FE71A0E63C9476A06C08C1D,SHA256=18166294650E5E56C7F7BE1A749CFF8B1C2592052DD04B279E6747DF75646C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.108{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_suspicious_features_tampering.ymlMD5=B5BB33D87C3A347B64AC6D524EFEF6DC,SHA256=943C812E418EFE9B49DC699C0AB0A79B5517F39CF3C2A43FDF450F0199998B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.107{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_restored_quarantine_file.ymlMD5=E31B0371932E7D0EA845FC70CA9C9F7D,SHA256=2BFC4135A0285092A7A1B68E333B4D434BC6C208B92B05EC449393167E563231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.106{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_psexec_wmi_asr.ymlMD5=B2E07EB72C4D5A2E49EE1F090FDBBF86,SHA256=3BEE34B6D0240CB6E13F2C54C705EA78B36F6EB6FDB35C34F40558D6A25F8B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.104{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_history_delete.ymlMD5=DB5BD699CFEA4791C50CAAED5885C8A8,SHA256=FBF25BDC53935B19A03228F7FA3F2A51525E9BFF5E5BC7369B587630712933FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.103{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_exploit_guard_tamper.ymlMD5=64DBFE608A06AC672E912D222364020F,SHA256=E39A7B1EEE4EA185610FF1916270365D1B5AA4F86EAF91EE7CE478195C29AE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.102{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_exclusions.ymlMD5=EA63D2889D6E8441C13A24F99D0E7959,SHA256=166B742127B624E17DFE18FB6E6E7189F559F13B7E58F2CE1FC5CFCCD65849CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.101{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_disabled.ymlMD5=2A1109127ABEFF4F253D68AA0E2D05B7,SHA256=A327B534A725E5A3613754A6465D2EDCE37372B980123E9D35298244885698B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.099{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_amsi_trigger.ymlMD5=50F99F6C1E4FBF46BDB67C6BB9737A95,SHA256=58271EEB960049883ADE9BF496EBCE7B57EA3C3701EEC7A9D913D25E1EF4A19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.099{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\win_defender_alert_lsass_access.ymlMD5=DD2707EFD989BBD59883082498BE37BE,SHA256=2B400C75C9465B3BBA6C1BD1C1C7466FABE1B0B2B6FA9CBF892E08F583B62855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.094{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\win_alert_mimikatz_keywords.ymlMD5=F6DB101777EB3B7309AB73F78C086AA0,SHA256=6079316919B46B569856F81D0F83EB24707B1AF825EC173315B504AD187265E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.093{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\terminalservices\win_terminalservices_rdp_ngrok.ymlMD5=2FB44E5C472EC66666B766190E79A8E0,SHA256=F183052F0BF79FEB560986F94CF5AE03ABBAA6499B3B9A36B672DCDD7EA1ED4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.092{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\taskscheduler\win_taskscheduler_susp_task_locations.ymlMD5=D7FBD568D74E850BBDB3C074366A528A,SHA256=0462AFB5F65340B65C8A50CBA2E38117C8968C4015217BA5B9AC4DD6EBAAA180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.090{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\taskscheduler\win_taskscheduler_susp_schtasks_delete.ymlMD5=6CB3B99E0FBB4B24A627D4E07B2F2577,SHA256=299FD45A622BABC4FC0375F21595C18B32E5CEC802007A3D71229E3F1212F85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.089{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\taskscheduler\win_taskscheduler_rare_schtask_creation.ymlMD5=AE8FDB73A501F01ED3F6B1CEC05B6BB2,SHA256=AAFB32B90674142E19C273FC3C3DB9AA94E4E9178174D66F9D5CBC4C5883A99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.087{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_vul_cve_2021_42278_or_cve_2021_42287.ymlMD5=510B251C638186CA5A7F80D396A1FB86,SHA256=D20CBE055E6466FABABEEEFD232CC5E35FF08C537A30E4EBC0EDCDEDD0771BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.086{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_vul_cve_2020_1472.ymlMD5=57EDDA81AEA2C53ACE81AC8695ABC0FD,SHA256=3BB506F1C8B5075A82162E4D36B6399A387F49470D2BCA4444C430C36DE5A576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.085{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_volume_shadow_copy_mount.ymlMD5=6F522E3AA706BB3131E084C9DF13AA32,SHA256=4DBB58CF176517C1AD22CC4815C176BAEACE2C22FE93F6304942EC339C65A308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.083{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_tap_driver_installation.ymlMD5=932CAFE967B642B7AE0EAA2ED7A57407,SHA256=B7FB9529A474779EA98B72C9313722175DBC770ED8F939F6E67EBEDC964975E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.082{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_system_service_installation_by_unusal_client.ymlMD5=6EB2EC0B1AC24E57BE6DACA21183BF2F,SHA256=DD6CB8C9ED7CC0C1564ED928E180ADE05BD10B76269A5C4FC5CBF86CABCE800D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.081{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.ymlMD5=B5E6A8E085A5F847A41D28EB061AF2E0,SHA256=4B48A9BB8781F4B9A1E29618B8F2ED5378ECD896C994A2A7903E393FB9EE7339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.078{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_system_update_error.ymlMD5=3B5B87FE500E4B568CA047CD9DC526EB,SHA256=9338F2289A788B4AAC37D20367B1E4D6C7F90FB56F7D2B2CFEC65F323F6D0203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.076{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_service_installation_script.ymlMD5=BFA7563B0359FA36F6F778C80273C183,SHA256=3CDADF2EB4FD9C363150FA8B859FCD6C9BC45BCD7DA58525467110AB21801972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.075{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_service_installation_folder_pattern.ymlMD5=4BA34135DAD05A2ED0EF2CDB73B1DB64,SHA256=99C42EC36E382C4B138D1EF66FD16F4E72A0F5659396A6C9D967CA93610BEC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.073{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_service_installation_folder.ymlMD5=B116FF1FA66D747B6A5C6FD8E6CCE095,SHA256=5B7A8B66242F9AF8EE838F9CEA476F8F6AD24B6EF5CC8B4EB0FB192BBF23489E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.072{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_service_installation.ymlMD5=FC880DA0F699399FB299C8D3BB59D99D,SHA256=E8B669AAEE7008EE2E30424EE717D3FFEFEE04839B9C4E1B45CF9AC2A1A93F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.071{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_sam_dump.ymlMD5=10D90C8776C52CC70924B3976F5C490F,SHA256=900C6AC6E727CFE9AC4AE18FF73967391429718BAB58F23B75B2B9DDF8E9C6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.069{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_rtcore64_service_install.ymlMD5=C3A421667A51751916F48B0A3D19096F,SHA256=9DB1856C478BC135BE3C1AECBA6645D47C269006DBC0B118EDB74AF94A3F2CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.068{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_proceshacker.ymlMD5=E9C9CFC9B99EC37FE070E6E7EA647911,SHA256=E6899FEC9E503C9F24B64D8D4DECB74F90ACF7498269B4C55688019F2A8C23C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.067{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_eventlog_cleared.ymlMD5=A91534B50321D2E579AD7181DF83E7C8,SHA256=7C4CF387E28739792FE68DFC940546E44A48B68A9C3997C01D9282D9E6871D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.066{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_dhcp_config_failed.ymlMD5=5ABEC2D7BE3A3596752731FD471D1260,SHA256=AEB672D350845D4A9D0ED7BD02AFCE7F5A943AC9FF6BFB3DE48659AFF28082BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.065{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_susp_dhcp_config.ymlMD5=488604FA00EB1DF1FA101F9AD8CF3F20,SHA256=595A3CD5BE40407A7BC608A63E1C0AFA88FA69A1BB6236760C425A4013A90868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.063{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_tacticalrmm.ymlMD5=2448C5E5CF97B1F5C728565D6887BDA3,SHA256=495057386D261C53B94F7EA99BBD8E7DC9D64E17044F8A1452DAA0E635C10B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.062{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_susp_double_ampersand.ymlMD5=BE005F3D0EC520373704B8A8944F7FB5,SHA256=80A36C70EED74CF8A897B6259366B96F2494DE5A0585040A907046F031DB7BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.059{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_sliver.ymlMD5=753C913A4A1A265175CD4B26C18A2AEA,SHA256=6347052B67C255393FD89A67AC5CA184C749D6D605A1DE0DC7E00D4F173800CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.058{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_remote_utilities.ymlMD5=E001370C06B03303657735A9A34CC24C,SHA256=869D21F3CED35397E545A12CA9E465AD9DE4BEFE86EA9EA7C0B617D6001C76B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.056{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_remote_access_software.ymlMD5=0B414DC24ECE6DF041B0BF2AA40BD9ED,SHA256=0F13FD3E4CFCE7381A48C4298472F1C85B01515987D5C52D19555B981C73000F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.055{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_psexec.ymlMD5=73553F7A0CD584BC348902464BB241E0,SHA256=4F5A4B0DD7094D4870AF30C1F7755F4B645C597ED3BD1ABBE14C7CE37B62E85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.054{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_pdqdeploy_runner.ymlMD5=8DC8DF037FE7035BBCDD73580E726438,SHA256=B139CA24774C011DC6D5D925C0017AF68900A52EA8037EFD59EA6B9D876B748E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.052{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_pdqdeploy.ymlMD5=C5CB64106739CF685BCFDFC41539C02F,SHA256=87638DE22677B02CBED2BEB98312B1383EF3AC41C9D3E5C76EE50780BF3D20DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.051{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_paexec.ymlMD5=173B2791E0F94A8BA22A2AB32FF93042,SHA256=7BFF6488A31F45D6CED7838DDA146C379E03E0B1E594B100D44C3EEDC1767850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.049{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_netsupport_manager.ymlMD5=BF0406B82B00A2236353E524CCE25665,SHA256=ABD16ABB4350257BFD3319663C7CF3B0622406B36F3707C9ADD1CE3EC1911030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.049{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_mesh_agent.ymlMD5=A21A87439CB7004FFF228F453DDB00A4,SHA256=F6F23E0465834D7D8B3BB2380BE9ADFD84FE664519790D30E9F7D222B7CD3473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.047{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_hacktools.ymlMD5=6E71E629051886E05F4574B7884129FF,SHA256=E972EF9343ED7A7E7F32FBBE625AAB332CB3E09C909841DE077C8867BE616433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.037{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_service_install_anydesk.ymlMD5=F409A3CA1B02C313141AEE058AE30768,SHA256=039AAAB83E4590B2F168435B33DA134E5E31C4A3EE41E65BEBEFCB70C5B3E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.033{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_rdp_potential_cve_2019_0708.ymlMD5=D3017525DB2DF901633B9F7082EAF4A5,SHA256=6A222A2D8338974C059CB35C2A870D6AC666EDF1609DD9F7E6684B69641A0CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.032{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_rare_service_installs.ymlMD5=0BEC1B3B5BB0F1409167F73C01EC723B,SHA256=F6D62C15AF8DC09913BCE8A85E79F261656869FCC9C2B1C65D790BB85C047F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.031{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_quarkspwdump_clearing_hive_access_history.ymlMD5=CB7AE046A9C90744D762CD8CE85032E9,SHA256=B31671AC8B970F86F7A5AE52E030A12CA7DF65870D0C04E617ED8B3C4133FC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.029{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_powershell_script_installed_as_service.ymlMD5=BFD0EA4E4AADBB569F62C63D81169DCF,SHA256=C63CE1106BCB0CADF2B0F317BD494006599C84CA4A7C706F386AD1CA3E380562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.028{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_possible_zerologon_exploitation_using_wellknown_tools.ymlMD5=618B9E9AE097B7042EFEFC3392A48A46,SHA256=18C634CAEC96DCDCAFD924905BC3D13CC83D64A022F1D5F8D448750BDFC910F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.027{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_pcap_drivers.ymlMD5=1367807637A50E95098B6604F0C0018F,SHA256=4BFC05A97B8605001C9218E856A3A6480E3C9B37849C6B67B0AD5BDA251DD481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.025{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_ntfs_vuln_exploit.ymlMD5=637F690F831FCC13A924D35E45E33471,SHA256=C20E1862F8A91D3BC66663E6F2C9C7F1E4C0190CBB718C876477B6EC5B2E6FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.024{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_moriya_rootkit.ymlMD5=17A9FD80CB17AB1CF1788E571E6F7CB0,SHA256=AE7CFD04A67C6F90A110D28374D41F5FEF3710B865D62D763538F1B055A63666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.022{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.ymlMD5=413649516F7EE1A73C3A290F8B49BAC2,SHA256=2D6656FFEAC8D6DDF53465F673565209B0EFB2C8D1CF55C17D32E047360CBF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.021{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_mal_creddumper.ymlMD5=0F167DD9A88F75521CF301EBA15227FE,SHA256=1D79A99FBDA7B43FB143B4DA3E45DE251FD125BC1133E6CADFAFEC359483ED2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.020{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_lsasrv_ntlmv1.ymlMD5=1FC042856C2640FE36EB46E6C5EACFD2,SHA256=6A8B442298FCD20DE345BD99A7B5F20898EACC757AA18D13FD4A5D6C22BF53D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.019{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_lpe_indicators_tabtip.ymlMD5=CFB08AA4ECA5F862C359F00E8228CFD2,SHA256=6A48E6685907A112D2EF215B94441B492D8F6F722920721E3E6232175CB21746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.017{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_krbrelayup_service_installation.ymlMD5=6C37BBE9E6A2E08D90A8119BCD9A8E47,SHA256=621F9BBEFB045AF4A759F1FA12488775FD6F819CECAB2CFF5B8F56462B736909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.016{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_kdcsvc_rc4_downgrade.ymlMD5=8E81BE3059E40539B0C10A1CF3A55DC1,SHA256=1C08F3F9698E9391E9CC40BB92808E680351214B77246CDB05F6E427A9465B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.015{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_var_services.ymlMD5=CBE1AD01F516BE27015287631E819C7D,SHA256=6CD7C1DAAF59ECC5248696257CF4CD0E24E0F9524DB7019F6DA7D844ADB46107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.014{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_use_rundll32_services.ymlMD5=190F02250F6CAD815F6A502213F62F81,SHA256=36B91A3A3D2287FB177569E36D0154651AB591168FE21E0765CCEA6BDD0EFDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.012{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_use_mshta_services.ymlMD5=78A71B924719564939F066CD2AE9C2A0,SHA256=54DDFE0357715F1AC60807DA4F5C6F1E57EBA23D83D705B1E7C250CC69715200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.011{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_use_clip_services.ymlMD5=5CDD8CA05A93D41ACEDD18248E8029E9,SHA256=A9C8FF67E08D29E3C61D924DD66F6EFADA8503DC7378AA160BA37CD6B0CA9A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.009{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_stdin_services.ymlMD5=5A1559F289186165C78FFCD6065D249D,SHA256=32F0BEEDF8151B12B2042FBF52D0E1B4607B5C9A83362F5003119BCF95FE1A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.008{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_rundll_services.ymlMD5=9B76E3AE62ADE761F37E37213B14D859,SHA256=C66A1B3848EDFF595604E72D1DC18E0CFB2B0AADDC59659B04740469D43E83B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.007{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_via_compress_services.ymlMD5=04EA0695039EC4ABF56E60179306D0A6,SHA256=3BD3A54E7A80C8209BDEC1F419C056144845E8B3986D13929AA7661392B4B433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.005{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_var_services.ymlMD5=755727970705DE753BBEE990E7761C6C,SHA256=F3145FAF69741D94F9707C7E08C48FA88EF8738B270D37C398520C0B76416228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.004{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_stdin_services.ymlMD5=A37160AECE081404E88FBE5288DF0C4F,SHA256=AE814EB5C38502FC3D13115546EDC26A619920D63FB5D6E267DE139DD4DC169F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.003{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_obfuscated_iex_services.ymlMD5=1FBC6B52BD32C129F7603E7FA17EC149,SHA256=02F02C90EA876A3D31395FB2CB6DE75A8C60AED6EE131B55EA57E54985A1B2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:32.000{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\win_system_invoke_obfuscation_clip_services.ymlMD5=A57918BADEE3C0B09AC089B4AA8A2377,SHA256=F51B5F83FB450739C60B4ABFA041D9DEB2BAA2494E3292EA56335CF899582AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:32.684{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C013924AC910B315F88562EFD0AFC824,SHA256=3FD16133478E362E018D03D24F75229EEF5A18A853B214958EF7219DA6984FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.990{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_unblock_file.ymlMD5=4BFB5E8BFA4C38DC3BEF82F7EA5EC27F,SHA256=F5924C54CB9E57B3566F2912EF20C2CE6BFFD738BED9C34104AE1ADA5788AC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.987{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_start_process.ymlMD5=A52D4B07E013040575428B12B4DC9C99,SHA256=C41BAEE6FA7B6A7D44131D45F9656624DC0731AF45E43C48C1B6C320B0844D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.979{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_ssl_keyword.ymlMD5=4A23B4A7DE3692DE9140F257B9843E66,SHA256=275311D5D150DC44662312115A0C05CF48A9DE7C7A61F6086EE536C86C9C6F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.978{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_smb_share_reco.ymlMD5=D7DA4F31DCCB365DFA7F023F42EF7CF4,SHA256=686C801D7B979CF465B68C564BECD25F308A1D8AF75805A9A85B81DA88059E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.973{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_set_alias.ymlMD5=B7CC15871AF4C1CFD889FB71D2F11FF6,SHA256=33F1617EB112876168D775080CA4704761378781C506B8735024F4FFB0FC4701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.969{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_service_dacl_modification_set_service.ymlMD5=7401782A6FC75B5E59BD612B348CC2C8,SHA256=E7684F4BCC7A7B33130B4F4E6981780F417C3D40B10F92876241E7D56852D3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.967{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_remove_adgroupmember.ymlMD5=2DD168B9F014566E41F7FE703920BEA8,SHA256=6FA8F4B1485D16966BE4940FA6A6DA84C9C1DC36E051FE49B02F0204249AF5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.964{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_recon_export.ymlMD5=B662FBD8C164C7BA7DCC9CBCF799641B,SHA256=FE6DABF872E239187399A60290554176B7C0BF9E87B82B0ED4057B58049771EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.961{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_proxy_scripts.ymlMD5=25A35E740F95E027B18D2C775185331B,SHA256=071AB1F1E2318170AA8176DA5CE797E0B89B07FC249B7D327813D9B6502FBBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.958{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_new_psdrive.ymlMD5=E0D2BA97C281F65461E8D1E435D9EC73,SHA256=6858DCD9805B59760E5394EA5F7ECC4B666D151746B39675E90CCEF4A5BDF296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.956{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_networkcredential.ymlMD5=CDA335ECA3F6A899B18E75A19E32E7FB,SHA256=6BAE10680E77141AB0424F8404D860BB8BE453FE44836779A1BFD4EBC83274B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.952{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_mounted_share_deletion.ymlMD5=6C6A5E52DFB5D347B9B2E1D5E0B94643,SHA256=F8F4FDCDE5C58EA7217A12F89FE655A55D7947667E97B77BDF24252E08A840EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.949{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_mount_diskimage.ymlMD5=D0562CE716C89A68991DC53CE884FA60,SHA256=B47A24D605CD20DFADDD06C45CA5FF1386A0BDD235F2BB896EBA5B781205F825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.947{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_mail_acces.ymlMD5=42CF2724DF77856979C6CF5B76A6C7E9,SHA256=9B643F9D675DF0305253391BE19814D060CC210B58F32BB2D69AF9DD6B73F872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.946{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_local_group_reco.ymlMD5=AB8E69B02907F3040FB55A8D094D1C2F,SHA256=CBC3DE87CCC97B36E500EF48CC60A735F4770059CD312AD224D6A0645138185D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.941{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_keywords.ymlMD5=1133921A135F7282ED2B0AC95ED09FCA,SHA256=D82DD956E6E0D990D263AA5A9825A8E029D60124C21B422B47AD605F0DFE25D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.938{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_keylogger_activity.ymlMD5=8A68C7236B0DA07A1A8A5AA26E3820E1,SHA256=3601FFFF8D576C87664ED01DBFF7B936D58DC5386E697EA72E261D7C116AC4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.936{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_iofilestream.ymlMD5=1DCBAB9F255B97DB5386A7DB73793FCA,SHA256=057927639C12BB41975FBA56AE43C3ECE84D0CD074F95B9F950BD37742B5D4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.933{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_invoke_webrequest_useragent.ymlMD5=00C05A3959BD52991E1882C7321BCFB5,SHA256=C6C2A3378C9DDD484BA13312A85D223098A5D79278D9C9A62B8E384D96580A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.931{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_invocation_specific.ymlMD5=FD0AC58292D243775A8FC9110A31669C,SHA256=3275727A1D30068B09D1E929D899F95F6A9966AAB651CA743256F488FF09D775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.927{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_invocation_generic.ymlMD5=AB54B34F13D3146F9F27C7B5DCDE2774,SHA256=3153CBF4B33D5F73D38D0477F3BEBA48D9519E8721C220EE844E68C078495772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.925{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_hyper_v_condlet.ymlMD5=BBB81FEC77903CF56CFAA417D68D4A0B,SHA256=241D43CF8470EC844AB59997EF26BD20C0510ED9FAD5106F324981F3EEADC93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.923{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_gwmi.ymlMD5=56B65488AF8325D2A409D7AF3DACF008,SHA256=A65FD31F00CEBB369616C2315C91DAC0812B1903091E8AA34773062448B9D258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.920{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_gettypefromclsid.ymlMD5=FEB4735AACCC26D0623744E0244ADEC1,SHA256=32A97ABDCF92AE25D8E2F55EF112AB855086732BEF2BD6BD688B40F1AA4FAE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.919{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_getprocess_lsass.ymlMD5=4522B0C708458280F27A84110259F883,SHA256=10E17C76E8AD6F0E50DE7796CB2D4B00B7625AA1611CF7D3AFD0272BBBC1896E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.916{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_get_process.ymlMD5=0016D481B55DB465A5C8E336DEF63186,SHA256=BC2F563DB45A8F5AE8EC5164D25362BBE270E088CF54900769E9CA242E3E0D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_get_gpo.ymlMD5=C7D46BEDAD06541B85470DDAD708C358,SHA256=C28C4FEE54FCCA7876670F105E211ABB9A14F2E53E92B851E78CD6F2559DEB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.907{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_get_current_user.ymlMD5=D61AC3A2CCA0848A3B818282A22E9E2A,SHA256=F6A23B638D7DB09AD5AC3D0F798692DDE7AF76E7A6DE68A2909FB90AED996F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.903{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_get_addefaultdomainpasswordpolicy.ymlMD5=61D13BFA35FA84D4D126698EEB6AC1E2,SHA256=F273816A23A7081626D54233C1E50DBB1067A32559C0FD42E523FCA41FF5C857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.901{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_follina_execution.ymlMD5=10ECDB2AADD990ABB4D5DD607C76F05C,SHA256=AD7F7B9A024F8A0D0CD6279EB2053F3CFC8BCCCAB50A57946D0F3B19B1B133D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.899{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_extracting.ymlMD5=699C1FF11846BFDEDB568D1FF39DA84E,SHA256=0339B9A05DEB7F81E77EB2F81ED2183BB47CF3C9E2F7149BA8FF72C67D6EAFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.892{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_export_pfxcertificate.ymlMD5=3243A6FFF220A7785202A8FF464B3DB8,SHA256=67E3CB741D5721D862CA98FCCF3810057742769CE51D8EADB184F9CF88668F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.886{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_execute_batch_script.ymlMD5=678A43A4C5448626DC7C364EA968FCD2,SHA256=6672AE7CD6F321819BFC499E21CB820D9B4A76C041E8EB50DE46CE0716D0FFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.880{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_download.ymlMD5=167340EA5AAF6841D337460126BB73A1,SHA256=1FA448785DE174F1CD22E6122600646A1D5AAE6CB1EDADB735A3884C09E68DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.875{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_directory_enum.ymlMD5=C8A663BD02D57C5A4152EC48103F0071,SHA256=10FF10C6FDCBBE90ED3F0EE76631527DCE349E6FB2A84A1F2650255FE4D431EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.872{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_clear_eventlog.ymlMD5=4FBBF701D896D7B34F0C5070AD92AE41,SHA256=D07BE0EC1D2DF3ACD94E94085F285DFC89A122576C73DC6F4A5DCC72AEE3DAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.866{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_alias_obfscuation.ymlMD5=4DEBBC018B8944DBE11362C32E2F431D,SHA256=99568664E3B48D2578C8A77CA7622D2C9B760CB08EC059B373E6742297501541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.864{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_ad_group_reco.ymlMD5=2728480863661C51F8459424F8F2BFCA,SHA256=0013D189CF81BA98AAB6078017B8699A052AD06F0D1D4D72C5FEF069F04921A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.858{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_ace_tampering.ymlMD5=67E4EF902632568E5AC947809AE1FD91,SHA256=B0665E1EE01D118FDE06863FEE089E9B6457D8900190AEEF450B48B3B2EBBF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.856{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_store_file_in_alternate_data_stream.ymlMD5=ED2691FA5A7AD527FAB1B2349BC261B9,SHA256=AF4C39AFD99D684D1CE311FBA0BD749A1F8E251E32ACC1A210521B5A1B56479A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.853{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_software_discovery.ymlMD5=EA5E7538F777ECF1F465DDB281256F69,SHA256=2E525B5EEDAA0C128368DC2F9A89F2790ECC28EC8BC28AEF7C76765C160FD62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.851{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_shellintel_malicious_commandlets.ymlMD5=8029D06F83B83599986BB6A2F9510378,SHA256=F28DF2AA4B38132815324F65E1A25D477CC5D004FAB5E09737DC178D41284DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.849{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_shellcode_b64.ymlMD5=97A3826A06B6E59888D900B2A5806032,SHA256=2C033678ADCA5A5F67D9DEAF874170570270F11F52855061FA17C724CD5D5713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.845{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_set_policies_to_unsecure_level.ymlMD5=85F2D88195A483982365A9714532FED8,SHA256=90DA0B26C6957614F185987333B488C4DE5DC9D291106519891361116F94B10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.841{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_sensitive_file_discovery.ymlMD5=2ACB9AF63C4A6AE26C4F624FD4679D1D,SHA256=FAF5BC312E6BE130F659D3D7E1D4684E7A470EA983DBDA7BE54AC844FC2C0A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.836{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_send_mailmessage.ymlMD5=E304E7B141D06EE67C3E830D53DEF016,SHA256=9E1C42C348F3BA39C095E72DC6AF75338ABC34F95D3F900B155DB7CBD0F8B31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.827{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_security_software_discovery.ymlMD5=DAE6DBDCCC183A19DD88D5A88280D964,SHA256=5613CBACE5B8E780620E7697F7DCD73530F5E7BCBB4F8F831ED57B520ADFB071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.820{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_run_from_mount_diskimage.ymlMD5=D62A17D549FC454E689B6B44FF49C01C,SHA256=86B5A5E4CA336044C7FD5DE84402655791D80275C62A0E029F2FB3952DAAEC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.818{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_root_certificate_installed.ymlMD5=01969F778783BF309EE57231F6B4CF01,SHA256=10E22605E4ACB7A560FAA87FE5D43ECDF7956AC92CEAA20091B6E4F1D979A5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.813{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_request_kerberos_ticket.ymlMD5=CBBE81E528DAC864BA3F13C76519DE89,SHA256=806682E5BA03EED04B20FA63FE4FE18657729753FC342CE8923A39CFF925EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.811{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_remove_item_path.ymlMD5=B14E95F7933910CBEC9F0BD172726900,SHA256=413C82967AE94902A6BA1BB533EB5C86F7851BA404AA68C86FAD56538A6334E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.809{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_remote_session_creation.ymlMD5=DFC3731B31E20E297899F3C26E715C1C,SHA256=77BFF5B788967954B0023B01C3F123ADABE7489796BF7AAA189CC46648F969FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.807{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_psattack.ymlMD5=5744A0F7DFC1CDE1AA2EB645611D3CB8,SHA256=12395C525A7220D5712BBE96ED55EB7614F8E64F5D606E2A8EB6083495A35D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.806{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_psasyncshell.ymlMD5=B5DC151F3ED4E24C8B87F0BC1875273B,SHA256=A0D6B30B95622385C5BE1FCFB2AB7F978F98889633D248B7E6628D334F56E10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.801{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_prompt_credentials.ymlMD5=7A6586D72D991D5B30A978DCE56D0758,SHA256=5A71B246B0D055862AA71872B96DF396B2ECF5802A920086B2E8F61A1CB41EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.796{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_powerview_malicious_commandlets.ymlMD5=7134093362DC08FD7D6ED06966858FEF,SHA256=B29A4DD5016E87B5F4F8F28622A83E7A2AE51E621C63EBAEE54FF37A522F08FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.794{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_potential_invoke_mimikatz.ymlMD5=2FA88A97719917619E919EAC6D36AA96,SHA256=058D52F5FA504D77ABFE60B35470F330CF28DBE003627B094A00AA78C300F743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.791{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_office_comobject_registerxll.ymlMD5=4224111BB233B73F1E6A558F9D55086E,SHA256=98134E6E8D750ACE27C067745B5C42B54EA7B0648F3BFDBF3CA643E0F98708B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.789{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_ntfs_ads_access.ymlMD5=9F8E8035E5DB424F50C9FE86C17BD208,SHA256=E7F77DF8B21907B7050548D41DAF9510711F36C01EA3A46E5AAB5824C730E88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.787{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_nishang_malicious_commandlets.ymlMD5=582EA24819090312F718225915F44CDC,SHA256=407E8D8DB0A5FCCEB734F884E5002EC3282505548F3A2D27922E0F924843C657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.786{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_msxml_com.ymlMD5=FFF3564F4C6AAD0352A2ED2AC11AE8A3,SHA256=3B89E2871DD2E3DF42479CF6F09B72F0E504E55DD9116FF1A46FF1C90D655AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.784{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_modify_group_policy_settings.ymlMD5=6FADC44DB415519ED35ED02F8197D184,SHA256=D02E64DF79447EBD57A4C2E5430C1886C6AD385586DF37A63ED4A21483A0900C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.782{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_memorydump_getstoragediagnosticinfo.ymlMD5=07444602F30FB1B0D4496F0315AF2005,SHA256=03D23B22C56DD4545506112388655FF22069735F2AC7A1E78C122762CD915906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.780{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_malicious_keywords.ymlMD5=18AC8DE09A16E7C2637022A30BD52BE7,SHA256=7775F2B0114846E2125FE8F6D4E00114E48819AE8A2782C5AF71AC2310CC94FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.778{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_malicious_commandlets.ymlMD5=5BD8E8CD56DBFD693081A13F1AE353A1,SHA256=D1FD86AF2D2F70446167FED1824F10A5CDF7A78E424E79200360F0286BAD23D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.777{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_mailboxexport_share.ymlMD5=874945AB9E3C90AD2EA6669F97694F71,SHA256=B387380A444FD6EB65D481744519F7C469C896BC11F3F14E87F9D8BFC281D7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.775{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_localuser.ymlMD5=9B975C6B6672933363A67A49C8FE9733,SHA256=CEEB2E2D6F1AAD2E68F62BECFB22220497DE2ADD661E8B70CE1405C6EA68560C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.773{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_keylogging.ymlMD5=3CD2AB1A94D87A22211691178B89E675,SHA256=3791CB0223FE67B731319845E1300E202F44B30AF9DB38AF6F1B439058EF7447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.772{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_var.ymlMD5=A2746E254B709E3C614E22614145DD83,SHA256=9F94993593E35B98D3470007E7C8B083F054EAF9EB439CF579FA3F2FD1F33687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.770{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_use_rundll32.ymlMD5=F60BC6883D32D88C191017461128E28C,SHA256=49EB22BE53CC29D534D25B914E198860954F8CECE7A19CC730FFE3F5171C4B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.767{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_use_mhsta.ymlMD5=CC035BCA6B41C1E7E33221D4E8D02D95,SHA256=4EBD4BB531DB3D0EF162B8B9780E27CE90A357184398A5D4C1455E4E8597CBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.760{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_use_clip.ymlMD5=65B46D3A0A35A99CFB08F042B35FD811,SHA256=AEF3C29A83EF284E39FE9805A90EEC3F58870C21BB25AF89B413D202F04D01FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.758{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_stdin.ymlMD5=A21EC37C2926C4E37F8B405C0FFF24F4,SHA256=006B96699182A1957C473F1204B65D3D4716DA689C9E43D312DA9012C77B1131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.756{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_rundll.ymlMD5=22D1C9DB4F2B6DD040C65CD6A677FCC4,SHA256=B26E6595F0724F7FAF7CA4F7B7F1015FF9A81988AD5DC2A6414B9F23474E0F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.755{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_via_compress.ymlMD5=DF0EB1AFCCB77D1FED8BE0608933435A,SHA256=438A128A5328CD93AA4FB6EF84CD1A50C2C05234E543F62D3010AE1392B4B1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.753{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_var.ymlMD5=20757569A5C5689BFD42F3EA444375CB,SHA256=EEA215BD3E2A9FAB4C8FFE41659A3C79B656594210C570CF4D4C49FBBA0E61D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.751{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_stdin.ymlMD5=1DCC6795D23B6E0915BEF0D57CD7A573,SHA256=4785F5923A36FDA35BFC70E6D576367A74B5F985B42F5BDCAF41F2D4B5EC133C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.750{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_obfuscated_iex.ymlMD5=CA9C93505D4173F1F73C95A45F6991D5,SHA256=2EEA46836826AE845D6D236E80A28489EAF766C6DC8F2D92527E251B85679F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.748{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_obfuscation_clip.ymlMD5=EA911A24D23D69A885D3F149A2ABE8A3,SHA256=FB820C2F77DBA73559A1781309B3AB134FCEC1E7726230853EE917DFF25CDEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.747{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_dnsexfiltration.ymlMD5=B4964F65A5837B40CE1DA4F439ECBB91,SHA256=AB659D3D60515897678F0D3DBB47E48C7642955D18EB561232BFBA5B913A47DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.745{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_invoke_command_remote.ymlMD5=578A3F92E2134F1EEB2723E7347F913A,SHA256=E2B619F77A6CBB03B65E9115457360A466702C28492AE2A7D9FBFA3D86A499BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.744{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_import_module_susp_dirs.ymlMD5=6A3DA846D17FE6BBE604C4C4706636EB,SHA256=36EC50AD77DC0EA22E7C06033A1BD5F6ABA6DA386EA26D14792062C49FA04244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.743{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_icmp_exfiltration.ymlMD5=16861E8B0294B2A9180C1120E2814CEE,SHA256=C5C9F07BC60B76DAD7A9C407D6900CD371ACAF55F2D06260D933C375D56A3DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.741{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_hotfix_enum.ymlMD5=A81448679D901894F0FAAC8A895D9271,SHA256=D5EE9CCAF8D3406CCE7B7F22D798F7B32FE2BFB36F30AD7518BD16D80A909FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.740{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_get_childitem_bookmarks.ymlMD5=F20FE94FECFBE595074594FA15134830,SHA256=268D5D821F51E5483C85232F738D7D28ED6FFF1847A1E1A331B556682918242D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.738{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_get_adreplaccount.ymlMD5=EC4564E4E5C15E408C2E2808F2BD77C2,SHA256=90A6E2A86B8ECE57C19DB9B66DEAE7DA56B02489920F2E63AB98FB4951FFD2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.737{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_get_adgroup.ymlMD5=A9ABE85149D4AF0F39FD310EAD77DA1E,SHA256=EF15ACA1AF087C853D61A9F0684D66A6902D757A4D59939E6B3A8AD9B88447F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.735{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_get_adcomputer.ymlMD5=D36503CC7B064AAF7C54CFED235D64F6,SHA256=EE61FA4F3A4D92D55D01A19FDDDEBAAEF83B1F15A12073EB307C41146D90FDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.734{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_get_acl_service.ymlMD5=A17A682B6FD46F4A0ABE8B02793DD3F2,SHA256=DCF1E1F9EE922AC816F1B202BA9BEA86EF44D158B9F524B85EE61D889A4E0589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.732{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_frombase64string_archive.ymlMD5=154868E0F170A794B5F38E3D91B05CE8,SHA256=46355D05BAE707FE78B3CD71D5789838C1CB10C78BC97179E4A5A5B684422862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.731{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_file_and_directory_discovery.ymlMD5=A689D64C8C63E3A7106AAB5A294502F6,SHA256=A42504035703CDFBA5004915BB80ED6E2EE606BD98727E23A0F60EEBF0864565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.728{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_exchange_mailbox_smpt_forwarding_rule.ymlMD5=B56A7CE55CA94C3189BA57306B824B46,SHA256=6BE4AC76FA821D0F2CF2AD164C6CFD9FC51C20BEF57CE2F8B53FFAAF91D20914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.726{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_etw_trace_evasion.ymlMD5=F0EEFA933FE4F0C67618B86092DDE96B,SHA256=D12A228E85C4E2F0FDC50558498AE0C7E534ED6CD1451B662FEA4749597EEBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.725{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_enumerate_password_windows_credential_manager.ymlMD5=76485AAC4CC34C7803B2FD32782D2951,SHA256=8892AE886147837DE74DA088E3DD356132E1F2EDB7351A571BE95022AAFEE42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.723{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_enable_susp_windows_optional_feature.ymlMD5=F57702FED7B2209FC79A6361B36E7BCE,SHA256=499E26F3D0DAEB83E40A712F810D07EC27A1C223FF97714B6942C98A72E866E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.721{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_enable_psremoting.ymlMD5=CA7B3EBDC948DA1EB3A28E097D913F6E,SHA256=5AFBECFC27A023816246964FF0452A5AAEDA37E2AA974B002BD74B5564D508BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.720{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_dump_password_windows_credential_manager.ymlMD5=FCEA414ACEAF952ABEFA48D1BF7BCE1D,SHA256=D20471126192484F53C5442912B38BF4194C0CF6EB1007700B0E2566E7C06076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.712{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_download_com_cradles.ymlMD5=07D0D3CBFB17B4296A52CA861A601B43,SHA256=FC9798A1D45BCA4764040AA922C4D66763A8CEAFE70BA41AEE2834219582B10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.708{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_dotnet_assembly_from_file.ymlMD5=9ABDB8715110E373FFEE0557D3ACD83D,SHA256=1207A4E481193884B9D03EE211D26658E2DE3EAF53C32702230923B8CCF71D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.699{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_dnscat_execution.ymlMD5=940695415CA53E18BDB17604CEA7BC6A,SHA256=D4BEB9F9ABFC7BB635C38B9977B01DC9955F66963A2A4DD4A9CE9C110E45C57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.697{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_disable_windowsoptionalfeature.ymlMD5=E4287A50E6978C5C44AB8E870294CD50,SHA256=684B254AB446EC5836DB0EEC85ED1123B468A987838FFDC8440CEAE992E8D155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.695{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_disable_psreadline_command_history.ymlMD5=70DEF75D16564F9DDA50868BDDE0205B,SHA256=240252A27DF35F4B36D08A99EEC3A984F914087179E5305527ABD36DCDBE593C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.694{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_directoryservices_accountmanagement.ymlMD5=4561B23A884F9F8D3BA912031FF9CC01,SHA256=6D2F4DD70401679F237531F3C0676449E3031D9795D094D2E6EC1C2D36495EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.691{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_directorysearcher.ymlMD5=CCEFEC7AE966415C56A71F7D35EE0A93,SHA256=606A27B86A3273BD165CB4D41AA7C4C6B443E14B20A419CC99A800865E6FAD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.689{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_detect_vm_env.ymlMD5=C288D6088621CE81C9AD434651EE69AC,SHA256=E14506DE72BC14C40B7ED9DA9F406A5DFBB23CBAB85875F33B6DBE00E99D5A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.685{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_data_compressed.ymlMD5=DE6F674F066B6932992B32CEA3AE1835,SHA256=54E00EA3193AE5BBB357F8F8D280AA89AB1D09AFF88E27CA83D8486CED016765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.683{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_create_volume_shadow_copy.ymlMD5=E78BDFF2C99FC417870258D79B5523F9,SHA256=EFF36C4D534A246F24FDA23E64813DB1B5876EBA5F816AEEEC1D7EBA7D097F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.679{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_create_local_user.ymlMD5=335B7D7D501EA20DF7E2B99F63E2ABF0,SHA256=1720DFB0EC1809A74277DA79E6D35CB7F66861D0BA9A517E5EA649A71D147B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.675{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cor_profiler.ymlMD5=F1608901E96C0DFD882B90B36EED119C,SHA256=3446B416E7CE4C5C238972C9EB5342F282511B6B7976B6DD3F76431DDDAF7B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.671{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_copy_item_system_directory.ymlMD5=224607F1028CE1E6D718115406295C40,SHA256=74FD1EB0C8058B1089775E95548A1846D2BEF22F115B4AC6247930A4D0E5729D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.666{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_computer_discovery_get_adcomputer.ymlMD5=84955A1C765FF639326EBA0DC4AB9096,SHA256=1B5664F50F9306EBEDDD64806DCE05462A5CFEB2E17E56EBA19EA3854CA84493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.664{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cmdlet_scheduled_task.ymlMD5=07E3AD14B494EFFEACC917449AAFAA19,SHA256=71AAE03D41E5B724D25E3A524131353880C7F9D60559C6C8B9020BCC28DFDC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.661{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_clearing_windows_console_history.ymlMD5=D12C911F15CA9B44135ED258AA28E883,SHA256=C0FDAF14A3FB86D0F0571C65C454E1F6B2952F1727B014A54F3782639CF852DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.659{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_clear_powershell_history.ymlMD5=8315ED57F18170E01B6AC48244737BBC,SHA256=E4F1B349949753AF58BCA09D7F868BF371AC59C29D23790E1DE92C202048AB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.656{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cl_mutexverifiers_lolscript_count.ymlMD5=331C74B77D927F3EA6B3107E65962AF8,SHA256=1CC27D8220541AB256344F085E264186B329FAA0D5AAA7DD33C0D89F04472ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.653{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cl_mutexverifiers_lolscript.ymlMD5=96B59AA92F63C7BE85FAC2B3CC5F0F07,SHA256=B3354F6E13D265A1F4AFAA64779181F56386C514959641730B868EF9FCDC383D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.648{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cl_invocation_lolscript_count.ymlMD5=469CA9129FBE722C90E2F5B201C91436,SHA256=8507689EE37313475602EB02E4D43CA88ED5DDF9A0C255D2E8C673BC7BF5867A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.645{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_cl_invocation_lolscript.ymlMD5=00E3CD350013B2121FE8063736CA98B4,SHA256=E73748020EC7B712E2B810E1263BD0D1DACE2BE16B29CA139C5E4AD70476BE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.643{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_capture_screenshots.ymlMD5=2037DD88D9B047AD39A170CA75FD57BB,SHA256=DE72488ECDCA9280C2101A18D3BA79D685464FD546F5450027ADDD27B864164D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.637{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_automated_collection.ymlMD5=521777C189EC9D10439F21C4919E0B63,SHA256=AA385302E0989EE74932D6B2804B03BC001183FB5B79478E2A50334DDB0EB8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.634{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_audio_exfiltration.ymlMD5=CA449AB3301DA57E5C63627DEFACAF7E,SHA256=F11613040A441321F6B10EA62A0157A15B0677C7CC9CED9ED140FAA8E83F5590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.633{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_as_rep_roasting.ymlMD5=5E717D7780253D4B76025F097B8FE226,SHA256=2080A68084DE3DB3F4CE401382630ECA788F28D82D4B84CC406F795A00FA914D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.630{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_apt_silence_eda.ymlMD5=670A3BB200363B395B3C144289F8C675,SHA256=3B0B43B6507B98D581022E49B1515F8BFFE4B8DE35599ABAA2E464E29D253A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.628{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_amsi_null_bits_bypass.ymlMD5=BCF7833758563A5603C2A7FA1C0B4ACE,SHA256=A8103B0EBA070B5D71E4D84DB8A28D9999A896A4286FA87E97CF337E3069C7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.613{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_amsi_bypass_pattern_nov22.ymlMD5=6FBA99192D3885B3965D5BE8AC352AC8,SHA256=33959BBB93C9669F8773DB1C8146B41B9ECD3A5059DEE8037611CD98A7A8B8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.610{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_adrecon_execution.ymlMD5=3ADE7266E174AD86BFE513CA9F345404,SHA256=E0ABDC88B64A589BE7E37ACDE61E61CC3E2A47776AED47DCEE309759492F8057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.607{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_add_dnsclient_rule.ymlMD5=A3E38CC44D0420687E57CCF252A5989A,SHA256=1764514608F4F5FF51054DF185E0CB882774D0A92DF2340C7DEDDF12E5B7A754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_active_directory_module_dll_import.ymlMD5=6178DC915899FAC68667EF517E96C9F7,SHA256=BF1931D858EB9AA11C6DB9DE207E0C92C15F3E6EEE31C00D76C1E328EDE32E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.601{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_accessing_win_api.ymlMD5=C9E8AE8117F99DDBC37D43848C4B8D21,SHA256=DE98656F7F1AB1065EDD6EB9C482D56A09E98763F931D3B13E316C09F25A3916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.598{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_access_to_browser_login_data.ymlMD5=9D76B86A4B61636112637CA1EBBFB364,SHA256=B69D09CCD2DA8D497D2E69076C9CD534060A3A3947BAFBABB40A7C77EA8B9FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.595{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_aadinternals_cmdlets_execution.ymlMD5=77F67CBB941A67BF719293A9F4D8C919,SHA256=AB9F9BEEE659785C5D7ED7D7034DD535C6F961E61C507C55AA444084F2F4BC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.535{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_syncappvpublishingserver_exe.ymlMD5=0EA78341E786B15FF13BB50A238E34FA,SHA256=79364C4A673C823EE0438F6686EC9BE8DD435753D17E8635C61F726DC25F0DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.528{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_zip_compress.ymlMD5=EF19142574A49EAAEBC0D76146A8136A,SHA256=DC8239FEFB45F46623562BC4216B73F33238628ADC5B827A0E306DB0B1F8118D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.524{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_smb_share_reco.ymlMD5=C9A6880F18DCCC1F6A7575E1FB470458,SHA256=61DF91B1377EE42BE9EDDC46A2EEAADF5DFB3BC5A7FF2B52EEDDBE094DA158CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.523{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_reset_computermachinepassword.ymlMD5=8B116DA951414CC2339B67A216DE99DC,SHA256=A58E78F59631A1FB5D4505CF4F2C58960A30C067062F1CD054C9BD106216ECD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.521{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_local_group_reco.ymlMD5=F86071EB03ECC39D507F80AE0977EF87,SHA256=C2D5CCC83467A13A1A6903FF34007C7CF8921567625B266E344CA7067B2AFBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.520{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_invocation_specific.ymlMD5=5DB835B85B46C1825E59B5FB26E10010,SHA256=79DF3ADEC5CB921185B72DA87A76C76A66C4459F4FC581CA143C7652D533D9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.518{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_invocation_generic.ymlMD5=5324D3D4CD54700768477EF03ED34329,SHA256=0323F5EB238AABFD431C0D582AE16A32D8286ED9D754F5B6F8E3D3790040943B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.515{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_get_nettcpconnection.ymlMD5=0AABE49736E6C710E20A3363B90FCFA4,SHA256=79E37B5484828B68CE0C676DAFDCE6C98683716A6C858136A6FEEDF04ED0CD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.513{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_download.ymlMD5=6AE8B88FD26B284409BC708B325DBB60,SHA256=BC43483E5AF6F667B81B3988AB963D01E81F4FE9647CDCE511351C98144E5C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.511{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_athremotefxvgpudisablementcommand.ymlMD5=EC7711D4594330E24F7B9988DC6E7E30,SHA256=4339F6A5CE8F64887CCC65D23A99DE5C7046EDDD1ABCCBD0B7F3CE3F3BB56A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.508{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56665AA6CA121C3C49F58B1D9893BC51,SHA256=DA797E6A27BEE1183E4A68996CBD4ECA0D694497D6BCFA0F100A603025CFCFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.507{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_susp_ad_group_reco.ymlMD5=70DEC091329048646BA076316B4E159A,SHA256=1ED8B0D37B4E372ED9A2206DCB84E0B1AD8DE4657EA88DB8047CEF85B52FA547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_remote_powershell_session.ymlMD5=77BD279A97EE6D0CD77349B1BFF7E5B7,SHA256=5E60DC69BE4B0F8149F06A358E6BF4655D6D92DFDB0BC2AA21FDF42FA8F2DAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.502{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_malicious_commandlets.ymlMD5=6DE4814BC4B0000BC9CB2B0350CAF32B,SHA256=6B52D7E00B08BB5767BF6740EE85026A9EA53A2FEA93FC74A3758F5E4B1FAA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.500{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_var.ymlMD5=E9C85AD457361901DC4CFF3F29477BBC,SHA256=107756D5F609B88A9AC2D289861E2482740F6D1B115D17DE5020AF6D68154275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.499{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_use_rundll32.ymlMD5=0C8D162C6877D396AE4C7A2AA7B6A7C6,SHA256=A7497911549A1214BA6E50EACF5F05CF9C6F44AC7B51E036EA492C450356B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.496{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_use_mhsta.ymlMD5=BA816842D7B9730F789D666F7160238B,SHA256=1936BE0DA9CAEB999D37336D356829AC19A0F23A31E2E26AF23F27A2BBA1A117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.491{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_use_clip.ymlMD5=EE5D91C5CBAE4F50E561AA71383A54A4,SHA256=DA6391775068A18AB1454054A5B18F1777FEE2190CE1DE9011DEDD4CFBD6B005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.490{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_stdin.ymlMD5=ABE02065B7B407C08B7707AB828FF3B5,SHA256=8AC0D4FF62DE5B767D5B95D964F9B5993B0BC6E07F3EF60DC926A915E0BBE0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.488{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_rundll.ymlMD5=0D4A234F41E5023F3F10B036EFA27178,SHA256=1D183FDB5D0A0CC6B00BE2120222266AC1DEB0CB28CF0ECC34A01CD7453DEC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.487{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_via_compress.ymlMD5=FB29A0039F6C1F0C4BBB63D3BE724EE9,SHA256=19ED34C112C0A00131262CACED00EA5D0C3F882FE65E651764C4338902581C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.485{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_var.ymlMD5=BEA65A5B82633DDC8803EAB86DD38293,SHA256=1FD968446B5036BA3B5CB6A138790D3459CC79DAC604025455DCA195D8FF882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.484{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_stdin.ymlMD5=65EB95D35A7AF69CE868965FE1D443B0,SHA256=D92A06206DC84902104FCD34225AA873A40A43CC74AB2BE98EF0E5B8D7A99A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.483{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_obfuscated_iex.ymlMD5=A87FC729EC3D832328DEB3DCC8655A4A,SHA256=B39644E9036133625E12B4E64B7B354B1C17B31831A9172F9C955E2DE8D115DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.480{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_invoke_obfuscation_clip.ymlMD5=AABE6516BDCE663F2C0B8CB0A8F82E52,SHA256=24BBFDEC7D9FEF7D32575888830D882EA98AE696AC441E2B8B84016D3FD372CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.478{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_get_clipboard.ymlMD5=2FFF74495BAE7DF17ED5AADA0C18B509,SHA256=58204644131A4B0D29CB10EBCCC7544247A595F164FF9CB7C295720ADD8D50C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.477{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_get_addbaccount.ymlMD5=98CE3B51628A03E14CC269C2AC74E158,SHA256=723093D8FF3D16440433FD66478C1046066EA5EE2E70FAE75DB453997C702865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.475{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_exploit_scripts.ymlMD5=1709025C7A97367E3918F7F73A290395,SHA256=CA12E4C149B160C6E1EF1E4F56D5EEFB0F06F8EC297BF71852D1C3D4C51FAD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.473{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_decompress_commands.ymlMD5=D46467FC439CA67669D05943918C8C8E,SHA256=77F1BAAD6570D1D2AC8D7D588470FB9EB33E6BD9A2A8720B7AA2E358087D8509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.472{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_clear_powershell_history.ymlMD5=8FD3A2E18761EEB21EA1F732649E70FB,SHA256=F304FBF886DD2671E45E974685873C08C9710C5049FA99BC0D935CBF91F1DE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.470{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_bad_opsec_artifacts.ymlMD5=54070BCDBD844AECCBA05B60FCA94278,SHA256=D458E9FFD39D833D0484A5CA1B55EFD2D9E8EFCCBB87DC6D14D1BF9D91D9C568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.462{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_alternate_powershell_hosts.ymlMD5=72202CD2CAE5642901B848605282ACB3,SHA256=47350396FF947B9D950A4ACA1886521D9DF6CA8BBC655FF70B0C07D08BC82EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.461{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\posh_pm_active_directory_module_dll_import.ymlMD5=8CDF5C727E69B44FE8D136DF089168F5,SHA256=8C779E46925449A29968B001EEA7B77ACD6C85D9AC975322C7325F88AA93075B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.453{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_xor_commandline.ymlMD5=855344E0350AAAD1BD8F9FAE8D76C396,SHA256=03F428C5C02191179B12D4897CBC2F72326A9A95C28A53EEACA310D2FFF40B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.451{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_wsman_com_provider_no_powershell.ymlMD5=3C1D2467D8CDF47A564B71A962A8D8EF,SHA256=483085DF15500849F4844036EEB231A9DEF6D89FA9957B95FFF172879DE4FDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.450{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_tamper_with_windows_defender.ymlMD5=52AD5F6726FFA621CFD2492DB10E9C1E,SHA256=140C4AA301A599583B5DB4C82E91C92FE0409B9CEC7F184FC0B71F215B9C1391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.448{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_susp_zip_compress.ymlMD5=5B8207071C32EA43EE3494D96526FF73,SHA256=92195ACAA1C99EB0A756A87E803AE21732A53FAD0B6369B49DD52CEB7A75DC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.444{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_susp_get_nettcpconnection.ymlMD5=53560818DDDF3F0E688190EC0003E0FB,SHA256=73D1B53F20A64DDDB2CD0B199647BCFDE294BCD9D1B52C4DFAF9A5D647DA1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.443{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_susp_download.ymlMD5=4FE9AF5497D2C83F091338948F4B1FB5,SHA256=DC1D7D40BE18CDACB01900B36D7E90E1A7F21A08820E01A4C6309E36182C1929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.441{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_susp_athremotefxvgpudisablementcommand.ymlMD5=BB1BA25C10C4AD4E6CE7E914B790FD7D,SHA256=B1A8A43B67D2A7F3FCB9DB5F6F7D0A33D1850F73506797566A2C4C9CD1D0B91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.439{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_renamed_powershell.ymlMD5=6DD4822C97708D30BC87CFEA6A2CD86B,SHA256=12AE06E980235A807E90744E1370A1B2CC8A77D81849D024BF8BAD99A258719C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.433{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_remote_powershell_session.ymlMD5=238F7F55A7CB4AA52D6A2EFE2C03A390,SHA256=C0014F942B1EE8555D79A20A2E40A75C619DCDED9646C7ABCABFE34F7872BE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.431{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_powercat.ymlMD5=1F1058D6733AD73A4F95FB6DA1A94D4C,SHA256=68091A0B31AD4196BEC8F974C0767E85FD6101718BA9B5226DE194191CA47FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.430{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_exe_calling_ps.ymlMD5=B96A597B7636820F74779CA0EB0750A7,SHA256=01A4C118124F90DF8882ACE487DACD4936D33E2116620152E795CDEB794574F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.429{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_downgrade_attack.ymlMD5=D635F01C9A3BF170049772B7AF19D023,SHA256=F5D221A8FFA008D8AB6AEDC9353E61F21B22503D43B5F0D9511EBB65294EA4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.427{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_delete_volume_shadow_copies.ymlMD5=1A53C9165F5BE756CDFBD1116C2324F0,SHA256=08E600068676DBD8472808F2D03448E55D7317EDB7E30B071BFEB2C8CBF7B49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.425{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_alternate_powershell_hosts.ymlMD5=86F0EFCF8266A8BBAF4661FAF9B44C02,SHA256=8392D90BD0636E6433BEEA14B8F44DE5D4E744541E2366922782C1BF586D1C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.423{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_abuse_nslookup_with_dns_records.ymlMD5=B6A11516FD029E92531E99CB7EE55E5D,SHA256=4B4A33EF88E96402A62EDB2047CFFB5EF9B02F78AEB7C8AC0BED28C3AD6E29EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.353{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_susp_wmi_consumer_namedpipe.ymlMD5=EEB76A92BA7C3C328944442DDE3BCC48,SHA256=BCEF3773435FB532110538DC7F5EBE7FF9C8D7FE0E83C7944A0669C71B3790F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.348{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_susp_cobaltstrike_pipe_patterns.ymlMD5=09ADFED8824998814CAB6BF5B9B5398C,SHA256=06DDEC4FCBF8221C23EC42BD5EDAD5B50B725EAE99E9BB0118CB8F5644E166DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.346{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_susp_adfs_namedpipe_connection.ymlMD5=003C5436328361033C41D6D1A49659B6,SHA256=01ADCD5BCB53FA9479ABDFD7BD97F37000ED3901812DA3037B76AEE4AFEC1621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.345{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_psexec_pipes_artifacts.ymlMD5=DD2E491120DE9BEF5434333FA2AB9652,SHA256=16EA5B65413DF678DDAEAB57BD741FE391E207C4F7394FFDC9B9C95422EDC957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.343{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_psexec_default_pipe_from_susp_location.ymlMD5=AE18AF2925E768067B7F7ED802DE65B0,SHA256=1CAF7535580BE1956345B594BF5B16FABF3D28A36346F2ABE645692AB18969B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.342{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_psexec_default_pipe.ymlMD5=8B93DEE1F1F06C5CC7807E560F02C50D,SHA256=439FC936F010509AEEAD2C42654118E77265B0D50E5D6DFBE569F2E6997E0D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.340{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_powershell_execution_pipe.ymlMD5=915AD3394565732290AAC2EF57F0527C,SHA256=98FCADF403BD317BF8023DCF1DC1096DF1C30F49DB2B0B7AD1DEABF18ED1D40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.338{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_paexec_default_pipe.ymlMD5=3C547F3194F87831F1CC4BCEEE71814D,SHA256=5979E20D880D0BAF69A17F0661DF694E45838DEFB0E8279C4B60F8452B33FBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.334{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_mal_namedpipes.ymlMD5=DD37C16125A576C2AA4D26A6F2D46F3E,SHA256=08D59710508B4386EB49A61AC11C6D45D8F203A5E7196D3207D2ED1B0E6A69AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.329{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_mal_cobaltstrike_re.ymlMD5=A3C7858E7519621F84F75E5FA69AC937,SHA256=95F374C625B2DA59F7C32797BC22228C3261215A6BEAC5A52924D8E6C1095317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.321{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_mal_cobaltstrike.ymlMD5=E0CC702EA5F6216B62CF35A3C580866B,SHA256=AE3E1495194B024E5FE071FF7C410318BA1352039B7744EDB4DBF365B81E307E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.314{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_koh_default_pipe.ymlMD5=6914C444382F89D90ADF542A5F0FDD4E,SHA256=B880273E90D9F5F12AE3FB1A4DFB9824BCB8D4C98A24109940120830411E600C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.308{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_efspotato_namedpipe.ymlMD5=FC415AFFA376BAEC1FE9340FD223835E,SHA256=76811FBDBD72380C17FE9B983208F9A3F61DD73AF3E2BAE9FC3AE83542D0FC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.305{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_diagtrack_eop_default_pipe.ymlMD5=A787F23CD5EFCA1F9E47DA6F2F26A4A7,SHA256=FF3219379FAD69732E59B5182972E2606F58195B250F9707AF1254DFAB86113C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.304{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_cred_dump_tools_named_pipes.ymlMD5=D1D5A8C5D66E1E6BF4AB67341DB50AAC,SHA256=C8F544F29C05A5C3EAF5A291174766C2DA9695760826601BA1263F9C6EACD818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.302{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_apt_turla_namedpipes.ymlMD5=302C502AD78984B1EFD64152620C0F37,SHA256=F09414DA8E915206F33E1BD08AAE5339248787964C4E02176B9F000E7196AF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.300{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\pipe_created_alternate_powershell_hosts_pipe.ymlMD5=6C8EF2459B2962DABCFAED12284BD241,SHA256=91974332A003CFDA310FF6E9949C9DDA85B8D951B00356E3914A7CBE951AB2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.295{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_wuauclt_network_connection.ymlMD5=97D51F3F6268511D3D37E8DFF1435A86,SHA256=80AD6E10624B83B628348C9ED6CFED72E6ECCF7E9C811326ED123F08933A48C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.293{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_rdp.ymlMD5=41BD4FE9F34E3BC6EAF766F29A17DDEA,SHA256=CB047A2CA5700D5E1632AD305DB8E7DCC8B60AEB7DFEE2A0AC0E1F1B14A17F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.291{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_prog_location_network_connection.ymlMD5=2596A50E5B48B433B2EA3A7BD70DD61F,SHA256=F917762F97731826E516DC04421704D27689F0668128C813BE0D201514003012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.288{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_outbound_smtp_connections.ymlMD5=C62FBECA8565180A89F1DF229874C093,SHA256=5B755744EF75429A4BEF19E1FE89405828CADB63082B672700057894F45C60D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.286{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_outbound_mobsync_connection.ymlMD5=166B50816F953A0FF0761322CDF8BA70,SHA256=F6E5C039ECCAEFFC9A8D3D32368DC0AADEFCA4334F1F4E9C5260CFA150145D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.285{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_outbound_kerberos_connection.ymlMD5=5E061C7301F444EF67432C9B91E3357B,SHA256=8BE27354DFAE7A146185C1986EF2EEA80BAA553ECFA163B91B27CBFD6BC4D982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.283{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_epmap.ymlMD5=3A9A3B72B7062D632CC4C882BDC240D4,SHA256=295808A14B64C2174D89A81B73ACA75EE85DF88FB3CA11A4A5DA36EDCCBB518B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.279{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_dropbox_api.ymlMD5=5052437B83982D4613D0880FBD67C86B,SHA256=DD30CC93A72EA3459D150F18B1B4986CB8F992047259A39E3D1461E7A34743DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.276{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_cmstp.ymlMD5=551ED714450D302E3A16C154E39C590E,SHA256=41383DB549C611314F5971F1CE517BEAC2E974172F8A13F44A4EC23C2E92F814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.275{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_susp_binary_no_cmdline.ymlMD5=7A3925A489CE1D4553B886E1DC7C5C9F,SHA256=E193AB5BE4DE858EF058B40F5D27770C659C075AF6B4B33BFE7C0AFF83B69C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.273{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_silenttrinity_stager_msbuild_activity.ymlMD5=0C5ECFE237CDF551302B1DB8E501BFB9,SHA256=1ED111F7707B6009A34780F25B8D16F87E702C9CFC63706FC72FD51813B6B832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.272{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_script_wan.ymlMD5=49BB3273BDE4B6EC92187F0150761F96,SHA256=D23E850BA379729615962322E56C4D45B54DCE85DCEDFC6D9580C3BCAA0A090F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.270{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_script.ymlMD5=319275BAF38B5240F86FD170900274F5,SHA256=853274BF94310D1B2BF5A6C485A8E6CDAF2F4213CF17BC05659DFAA60D086C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.266{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_rundll32_net_connections.ymlMD5=811FAFC3CF0569822187B034C5B1EC15,SHA256=1F2D91C0975A93EC2C5D3401387820F55FCEBE5AA9BF17920F25C9017B569FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.265{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_remote_powershell_session_network.ymlMD5=948C4F1CABE303116CC8D848A6CCB5CE,SHA256=621076CF3FB6ECFDAAD4865E657EC32BC4522453A210DEBA8FC0283CAD990364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.263{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_regsvr32_network_activity.ymlMD5=56F06ABC10F6AF1834DF0831E83D42CD,SHA256=CBB905861225668250C6878466750C5C857EA04A730F69EBBFB3FCD2B5AF43D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.261{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_rdp_to_http.ymlMD5=E937A3A595F31EF37591685D1A950CDA,SHA256=3C4827C7DA448258CFDABA967B16EF73BD8208CFDD343A6884C4F5AFB5E3B576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.260{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_rdp_reverse_tunnel.ymlMD5=9C246323226D1D8E747B049C71E87DBE,SHA256=2C6A268B9EFED68D41F920A16F789602CEA68BF1B332DFF467D633FD20B495C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.257{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_python.ymlMD5=D40E206588ED0AE47F2C7E9981AE9D88,SHA256=02CC43937FBE3A0510EBF1DA40DB3741BC99B5106D43D4244295627E364C4DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.255{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_powershell_network_connection.ymlMD5=7CB26E606BF32C01A8AC8C1956D4EDB5,SHA256=DE325B889FC6ECE55864F52EA9E1F6712446F3FE1FF1319B1A550339EE750C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.253{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_notepad_network_connection.ymlMD5=AE155840C74DB2FEE72BE9FBBCFFCAEB,SHA256=D30B5CA718A532E1594F05194C439996747BFE6B667DD569B673FADB02BA230B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.252{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_ngrok_tunnel.ymlMD5=83FC0774EBC6C3597CE408F37C59E7BE,SHA256=709BB5DC871767515323F08A6D3E13ABC64ABF165566218C963DE6295A8E89C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.249{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_ngrok_io.ymlMD5=C91589467AB5C01D130C45166B82B778,SHA256=C7A22106AF1E7DB503059DE784EFD8965E1637670E2E7CEDF1580BA8D5CFDE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.248{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_msiexec.ymlMD5=9056C195CD5A04DD369840078FEAFA2E,SHA256=240863AB641EA0B97D06534347D9ACDD421F5746ECAC97367499FEB71D40877C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.246{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_mega_nz.ymlMD5=EA5774B9D86CDBC02904434856B51286,SHA256=3FC5097F7569B2D2543906B075D12D6B681F57BC9545E950A8C4DA96DE0E377E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.244{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_malware_backconnect_ports.ymlMD5=C898046B66B5DAF18C0D41297B9EDC59,SHA256=D119395D59C1AA963CA437A863F2A071FA19D81C71903F48C22CFC6595A1708B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.242{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_imewdbld.ymlMD5=57C850DA817DC871CA76B64860BA32DD,SHA256=BB9DD312347C558EF814835F5C8470D195033760A2656EFE7CCF2587285B45E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.239{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_hh.ymlMD5=B741D14E466C335770BD8D68EA440B41,SHA256=00ACB8AD9EB90B8AA4FBC77A4726E4EA1B735E5A05E322BB396DDFB7FD402FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.237{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_excel_outbound_network_connection.ymlMD5=4D09250DEC4E21A4ECE48CF112273F77,SHA256=C97FC5CEA0340038958F5ECD96BC2FFBBF72B0E003711AA53FD500552735FD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.235{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_eqnedt.ymlMD5=6AC16DE8CFFF17377D9C0E74EA523808,SHA256=AD1CBA019A2E114BB794620E06EFAD6117C075BEEF4BD8FDB18BD921579F910A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.233{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_dllhost_net_connections.ymlMD5=9F0E8C0A21B1A0ED1AD97A16B879391C,SHA256=859A03BAB2DAE4F0EFAE244A0BF4907A399F7ED3B7BC6AC5EEB4D8EF7AE38C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.228{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_dead_drop_resolvers.ymlMD5=92246F6663708B1FC1B053EDC60986D7,SHA256=37D5CFA5596FB3C05B67ECA927138CFF5E12AD812C8754824F6D9D8E609B3924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.227{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_crypto_mining.ymlMD5=EF42A0590A74DE29CC1764461DF772C5,SHA256=71111830B0538409B3FA8708674938C3A2AD7FF19752E4850AABEAD97BB7064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.223{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_certutil.ymlMD5=181F80ECCF84F8E22567C01DDB516063,SHA256=9B7924781998ADE6DCCB88B493F81C614AF0649B4D3272C049C0BEF9E9CAE33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.221{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_binary_susp_com.ymlMD5=0D04CB8ED4DD4DC4B24A5A57FA9E0149,SHA256=85FEC0E67D7C341BB01DFCE855F8FEB6D8D597AFC62D9092EEB1C715DC5612CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.219{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39EF8A670189D68113EB163011C8A2,SHA256=17428E624C55F871CDA66A050B8B55C0CAD74133028879F38D748687CF536A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:33.219{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\net_connection_win_binary_github_com.ymlMD5=D61A7F39F3FAAFE22CDF6881EACFF21B,SHA256=680A700F457B8D65328C13BCA543790C087BF30CB50229C860CA50C3DA448075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:33.767{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F5AECFFF54323135F125F46DDB96F0,SHA256=D9EB91EB036CE9C234FB2067070BAE9C1CE3CCDBC12832611FB88D2F92FA14E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.998{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pdqdeploy_runner_susp_children.ymlMD5=155950F25A39F05D5BEDA9F12C3606B5,SHA256=6C351193231C008BFD87CE8C0BBF50D0A5B6AC82CA78A9CC1ED5613CC0262CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pdqdeploy.ymlMD5=8F83F48210BE1C580C8F181D13DCF513,SHA256=A388618B335A9A921490187F20AE554949F0D851CE7C3FE4DE6D8BAA4A37FD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.995{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_outlook_shell.ymlMD5=BAB81D53D3533FADBB31259D72C6D74B,SHA256=4931B2C816CC317C060EFF80930FB2893E97F6C69427C0C9BB34A50459E30AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.993{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_office_svchost_child.ymlMD5=79AD780528C4820721BD8BE8619FD727,SHA256=9705257B3F400172EC70E9D3F49F0CB8373ED14F3D8C9C4359601771E9C5E0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.992{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_office_spawning_wmi_commandline.ymlMD5=1FC2B5DFC6703758CED37740C6B3E760,SHA256=BFF705C6B54F487BBB5E058D1166536AA41E7F837A3D41041577989AC3C16BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.990{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_office_spawn_exe_from_users_directory.ymlMD5=DDE6DCFED5505A6D937B5A66B90B812D,SHA256=02ED76BDADF1067A2D5D00F453E66088DE2B143C7D507A9B43123E02A8DCE941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.989{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_office_shell.ymlMD5=018B72B55E3E46DD96730A12874D7941,SHA256=8E9476C1FF645725982B0E9002EF8F476DCA81BA5AF58A793AAFEF046AB0EDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.988{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_office_dir_traversal_cli.ymlMD5=D15FCB10DADBFF0EEB0B1BCA546970BC,SHA256=261FB432A1AA42C847598FDD36D9CA42BA622A197D9A3844123FE40B40E99D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.987{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_obfuscated_ip_via_cli.ymlMD5=8066E82AF6AE6832D9A41C187DA2D7D4,SHA256=340E902AF1DFB5CD997654051F539FF2181886A3EA5BA86718F04FA5C6F39C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.985{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_obfuscated_ip_download.ymlMD5=D15958A4A98115BC3601E875C6B6856A,SHA256=F8F2910AC6938203212448333AD84EE7F32A066E89E8AA16DC89B8235C0D556B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.984{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ntfs_short_name_use_image.ymlMD5=BE3D2AB783177EA62A843F37E531D459,SHA256=01F71E212F8198087205A6B4F765D436126771FCDCDF4DBE9B704061131D196C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.983{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ntfs_short_name_use_cli.ymlMD5=F365957857911E74F864D61E1532A06C,SHA256=3C44BF88F9F61B913F0217D2C809039C3AC3345510E9465F46C47F97AEE0D957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.981{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ntfs_short_name_path_use_image.ymlMD5=2C01E79FA132BC0270BFFE0F71EE27E3,SHA256=493CA6F069F02E3B7E89AA7E2E460B4DBA0FBD67BD23B352FA629187D27314DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.980{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ntfs_short_name_path_use_cli.ymlMD5=472E762F122F987F3036B37289F8D4D2,SHA256=05AC84976D20342DD4ED9550216266DCFD83C944BC2E384E5481FFA024D423CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.978{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ntdsutil_usage.ymlMD5=5AC03C98BD87AE098F01552D451DBD02,SHA256=EE473309288E7027D100AE53BA6450A61E2F630C66DE9A00F8FC040D954B74A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.977{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_nslookup_poweshell_download.ymlMD5=9F0B86EE3FC1643A330CC9BCA996477C,SHA256=972A46382EB8EAE1A73F085C8CA0E43B19080917B1EF8CA6B025A6D0C50D875E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.976{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_nps.ymlMD5=836E843D91A13203E062A3B82B2EE0AC,SHA256=A96BE9539A94DC9D0081236E9A70BEF6C705902EFEF6DA2D9DDDC94423551AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.974{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_non_priv_reg_or_ps.ymlMD5=04314845ABFF10822AE65BA010026D09,SHA256=92AC2EFB9DB1E7AC3B71CFA9ED9245B1E253962602EB5E7BE83EE7E29A4F8A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.973{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_non_interactive_powershell.ymlMD5=54E671B2EC51FBAEDFB1FB0AD14909B5,SHA256=4EF0330412363C14F870FA34D58B1E0B87104E93EB8FC8962DCDEF55AF556BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.972{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_node_abuse.ymlMD5=4E2CCF1315E79D9A4772E59A6D565683,SHA256=A9311A526A821C1FD40E4D199B1E8E3A371EC9DDFE098B6B4869E971FAECE1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.970{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_nmap_zenmap.ymlMD5=985EEF8B8BC71522CFD2D0BAB1E8800F,SHA256=6169AFCB59B909CD363EFCDB4B6B4D0485BC463AFCFF1DEE9B98DFDA5EB9658A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.969{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_nltest_recon.ymlMD5=AB2D9317C6E6079F868D4279A7B5787E,SHA256=53978F65389218F40B53F15B1441E37B194A8B9C9F927170572F635A2C182C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.967{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_nimgrab.ymlMD5=A1982B01ED5D4B16726520160DEC54A5,SHA256=0B0FA699E42D0354EC48EBC11F1C84C1571E17D3CDC8F1AE59FBE2325A13C2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.966{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_new_service_creation.ymlMD5=62129C813AE2BD3036AD62C86CD861F9,SHA256=82404F3A1553D18810BA0C5636C42C869E81BFAF16AE3A17BEB92BDA037162A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.964{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_new_network_provider.ymlMD5=DFB654446B82DB13AEFAFDFC733C8462,SHA256=D60BE400190DA3B8D918D6A630268CC36FF489634089507544E86889ACC21069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.962{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_network_sniffing.ymlMD5=E78CE577CAA6A8830D5F05325CFD2E60,SHA256=AC3D476614942B9B5EB869D91C53529C19C666B7B905054FD57709A083B885A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.961{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_network_scan_loop.ymlMD5=8FEA2D0A877C43B0EDBE7B7EC0E23561,SHA256=D6CFDC75201EB6CC567EA7C63C774305550DB9B339E7066D01E6587CA2A91711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.960{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsupport.ymlMD5=20A5A3B1FD502E3068235D172E10A409,SHA256=B745179F98DC83A782D975569E97F5747460CE85448F6E704DE52CDA12187A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.958{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_wifi_credential_harvesting.ymlMD5=DB540A38E1D92ADD9157CA3AE02DC733,SHA256=C6650D9145CC0419E72DD03294E1630E26D59EE306C07978495EF1F5EB929036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.957{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_port_fwd_3389.ymlMD5=EF1818D5AB4A6EA4C33EEE3E4BCAC313,SHA256=ABE7A1EF677FC03C5E02D71E7B2B767EF25DA82054F640111079A6870FF17231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.955{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_port_fwd.ymlMD5=84C90E03B1B71429EBD4AFF0C3D60220,SHA256=80C2ADF07A44C90D137622F69C657257FB7258681A5135D2FE6B0554CFD046ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.954{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_packet_capture.ymlMD5=001D9D01DA7668E147445196F3656F0D,SHA256=7AFBE41E97DD78D397549612E8C738DF298977D463777A976E1E411B50781DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.953{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_fw_enable_group_rule.ymlMD5=0EB5B86454AD9925E876E642C74F7B06,SHA256=ED72DB83D5E1482DF29434AE93E24FDB7F5DB2D9699DEA7003D408B8CDF6D5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.951{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_fw_delete.ymlMD5=7ACED379E8475BEDD14389D5CFF6C068,SHA256=9F8E9A8207EAB0A980DE8FE13AF2DEF0E6E09C232F5FEB9FFD413656183481FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.950{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_fw_add_susp_image.ymlMD5=911478D730232B9B3F7339C16D39976E,SHA256=A72E23776F1966DE35FDD98965D6911830F4AC7E56FC9F9FA2831543F4AC3975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.949{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_fw_add.ymlMD5=E52B063BA5187A9AD30094EE9FC88C60,SHA256=90C0506DA6F782F14E82CCE7C4235BA6095E153E2D9F69B51F7B112749F5FA35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.947{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_netsh_allow_port_rdp.ymlMD5=1556E2F60C445F4A40A4011063E0C1AC,SHA256=E66A3D23AEBE120D98F460F30491306ECE92338D3509DDA19EDD7B2DCFB03BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.945{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_user_add_never_expire.ymlMD5=6849561DA25F4C99FD7DDD029DF831D8,SHA256=8885354888A3212D897B76C182E358C93B9D62F6E7E1F6EFD7B468DD891B572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.944{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_user_add.ymlMD5=275FEE1F7BCF7A6613B98825AA59C6C9,SHA256=85A4B361864BE3F8C30E40F96CF57669C06038FB291CE114AEC33B03567EDC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.943{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_use_admin_share.ymlMD5=B6A7AF4951342FAD01378692B1F1FB00,SHA256=73A0E6518AAAC3C79436841055D1BEAEC81B63DB77F3E83B6748163F2F9F1490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.942{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_recon.ymlMD5=AED3134C42903CCD80F3F2682359BB9D,SHA256=CCAE6425811A48074776FF9CE48C5493A158C6C31FE25536E9C8B00AE6752D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.940{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_enum.ymlMD5=1BB7AC8FF40172350D2CC1B4F8C42BAF,SHA256=8225AC24D782EF1526A8E362A8ABFE38B78A81A749D28EFBBA2D17CFEF4B6E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.939{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_net_default_accounts_manipulation.ymlMD5=11A36947A0358BB5337F3C8216B73CD7,SHA256=F1E33533BF940307EAE65A4F0D6CED11990F72AEC1D94FE5DF974D058D39E7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.938{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_multiple_susp_cli.ymlMD5=446A9791CFA8A59DF9C21C18CBC51CA6,SHA256=B80264FE146016B2B5B04391A66B534C7B46290AE8931F94CE1B6826C0D3438C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.936{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mstsc.ymlMD5=926CE0BD370AED4E2352337F4BB3830B,SHA256=29643DF264AF19350A968F68CA518E45FC14052CC1D7736DB70B95BEA18201B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.935{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msra_process_injection.ymlMD5=CB3E4199241D2AFC0DE14F852AB8419A,SHA256=3E3DAED8D8536F78550DFE119EF7DD8037E8AFC806696FA5576A64433096A294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.934{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msiexec_install_remote.ymlMD5=1F9FD33622C73F82729666B2A06F6DCF,SHA256=FF7FA131889C3F25723F078F712052019CF8CEF2B1E0D1D17AE58D8D2429F22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.932{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msiexec_install_quiet.ymlMD5=2F498269E2D47C24B5B797ECD6B7CE98,SHA256=83890A8B23936CD633463E1FDD5BD0B0B3C22EF62C1E3AE78188E90234E035D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.931{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msiexec_execute_dll.ymlMD5=259CC6145C5F01216259C11DD289F430,SHA256=BB204C637D716351F0AC97F840D20B3204484B327C90A7FD503D4275A2850A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.929{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msiexec_embedding.ymlMD5=8219DB0057CEC30F1390F70AE3353897,SHA256=0321D81C52FCF9A208469A5B7432CA7D4F159F7B2EED2E6688B378D60B9AF03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.928{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msiexec_dll.ymlMD5=172E06E3167B05901CAF423C77CD7A7F,SHA256=63AE8DCB5940EC6EB041FE74B77731C10FC8084B1855DB958F757BDE00B9FB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.927{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mshta_spawn_shell.ymlMD5=A494C3FA0033932BE834824DD764F84D,SHA256=4F190B44490F515D48D4091216C984D7E7FD6D26FC849BCFC1DF04DB8A4F4950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.925{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mshta_javascript.ymlMD5=F434F843669B9C0BD9752A73136E7DD7,SHA256=C202D73BF6F12F8CBBEED0A21BC79D1CBEBA60242DD499F4E905F51B1788E2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.924{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mshta_http.ymlMD5=9D875E94102B77AFCBFAC155FD599B0A,SHA256=E0AF7288E51DF2F344D35077E1840B5665AC832C8F6EE910D3C7785C560A2582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.923{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msexchange_transport_agent.ymlMD5=2246CFF0FA92FE452F1B61BA992C3EC5,SHA256=C06B8C11DCD4C5FE8A43A8AB48060A5ABFAE1D36E00430F10C1CAAA1127A2DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.922{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msedge_minimized_download.ymlMD5=D9609B13080D8F60C106387AFF497AAD,SHA256=BDA93A0ECEFB9D6C4D22814B7A365C6C58366381B437B7C8171CD123EA438B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.920{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msdt_susp_parent.ymlMD5=0036D3CC0AB5D2963C6759E019C33B85,SHA256=57B57B24DC103EF0D3DECB2E1ECF85739892BFB32C4435009916D6AF507937FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.919{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msdt_susp_cab_options.ymlMD5=9E3BB30B960DA6DE81C58EAE9EE64A86,SHA256=F3E38043EE12AEA4E7A8CB814C95289FDC929B16AE2E90649A761D2D51C347F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.918{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msdt_diagcab.ymlMD5=596317E391D448EC7F4CC3B0AC29790B,SHA256=29FFEC1A96A4B0C592580EDB829D4219AF254B12ED08DD3F1F8263DDE10FA75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.916{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msdt.ymlMD5=BDDF96BF32EAA58AB3BAC24A43F0F798,SHA256=4458BC766BD88093EF9C7DD04A799DE4E57A368E3BB9E474A5E19EA8D9FDE0B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.915{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_msdeploy.ymlMD5=6C232A764BF3099602D40D3B13899AF2,SHA256=8069A91E45B97A05C484130CB827E76CD126FDA62C30496F3082BD09991E502E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.914{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mouse_lock.ymlMD5=E83417F67A7F7C5308FC9EB146E65742,SHA256=26025BD2D9EB7A66D6C6E7689127155A0D1701C0554E153F5B97D5791755BB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_monitoring_for_persistence_via_bits.ymlMD5=9447FC10D79279854A2DE0AE1DA7356C,SHA256=E4AB61F7989035FA4ED64D067B4556AB21E29AF51A44ADBA149F2EE3D9D5962D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.911{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_modify_group_policy_settings.ymlMD5=DD2A5C0F4ECAE467AB3D5DC08BCC3BA2,SHA256=27ACE9E6646F9C76E25D757422C26BEADFAE6B41FA3828402FADDFA9EF443C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.910{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_modif_of_services_for_via_commandline.ymlMD5=DB4053708B4D97752CA566E27F296319,SHA256=B213FA2CD7115D2D5EBF1D73A3D9CB4D2A3A3B8673293C3C6E40D93FAEDB9FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.908{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mmc_spawn_shell.ymlMD5=A0E7C5F57DB15AEA2BC409A8FEE62BDE,SHA256=02AA1B514665BACB1FB90F73B956BCA4012302FB41733FD874E949FF930240F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.907{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mmc20_lateral_movement.ymlMD5=6AC8486138731158DFE0D22A18462E6F,SHA256=E642BB0AA42B751086A8BAB39579AE67A04511265F652C96C0AE73B5DA4A7563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.906{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mimikatz_command_line.ymlMD5=AE7CBEC4E717452919A17893512FA12B,SHA256=2BFE4EF99D17B475BFF8DB5E81C3DC5483EE015E9D9A310603CCE0FB8C341C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.904{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.ymlMD5=7740CD4FC7FC80380BA3368462CC5976,SHA256=0D11CB9BA55C6E3999EA69C06B26184EAD5EF3096DE03522066B84AC2753D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.903{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_manage_bde_lolbas.ymlMD5=40405234C069EEC9516F33D9AA9A1DAF,SHA256=8CA674E989906FA94DF24DCCCB2E54721863A0BA6A68FBEAE67A41A3EDDAB2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.902{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_wannacry.ymlMD5=621B6521AA29230499E01590FD49D400,SHA256=9C7F1AFC5F1DEE21BDBE0B58E4BEADF5CCB0CBFCAA2176A060E1150C552FA2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.901{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_trickbot_wermgr.ymlMD5=0D70411E5142A078DDEF7FE14DC277E1,SHA256=EB737FC954F276ACE16CED5400A4737F7DA84027244EEF1ED4A3E751C8E560B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.899{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_trickbot_recon_activity.ymlMD5=81F22D699E1395FF53B866B727E6F3E1,SHA256=9E79CD60602A3F1381FBB2723268AA091BBCECA5598846BDE402E8BA03ADAC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.898{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_script_dropper.ymlMD5=2799DD4D931D0048AE1E0F671078D6D9,SHA256=A74FEF16302E09596F875CBC89A22D344C6235AB9C3DF53E85EEEF1E61757B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.896{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_ryuk.ymlMD5=BD908CB4082FFD53AD3EC54047C9DACA,SHA256=A179FA739086F035CDBA6044DD8F590E2930452D19C0E81EDA49696443D34A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.895{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_qbot.ymlMD5=1EE28FF7D20137827E8A1837980E68A5,SHA256=766D8C507673967E0E9C1919C91AC626C7A37FC131AB062F07DE9094CC448268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.893{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_notpetya.ymlMD5=D3CEF362FEAF10005C48B57839B028C1,SHA256=39885B6DBC9612945BED2ED49A0437F69C1428ED97926A28EE0D044B91B3637A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.892{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_formbook.ymlMD5=9091B25C6473BDDA4D779D5C9BFFA45E,SHA256=FA2EDB974FF7AA27C610D4FAFA5396851E49DF5513D3484E09116C913711E4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.891{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_emotet.ymlMD5=7EB14D9F06D27A089A418F6199BD751E,SHA256=23EC25D045CA112E6EC728295B3A726635C01A012B29CA2262E152B10A982411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.889{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_dtrack.ymlMD5=617A6B685834CFD84C14407523662BFB,SHA256=D4735EDB7FC074B8A51D17DD689251F06016A742A9860D0EB939F2FC47FEF75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.888{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_dridex.ymlMD5=CEF616B4B1C6EDA96FA3050D07170697,SHA256=29CE3CB864D2BE8D7E33AEC4CF2EEC2A58979D12E469A3A2049AF40A7510A568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.886{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_conti_shadowcopy.ymlMD5=F0913F28F65B77CA92609032C53D308F,SHA256=4A58434130FE0F28B89D9E9F9BAC2AD4293D56331AA86499625081E4105142A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.885{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_conti_7zip.ymlMD5=261354B3D231D6770A814A97CB5EB361,SHA256=7A3BE971F9561A72190416048E65E768DC25A916FC517599D32BD019F6824579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.883{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malware_conti.ymlMD5=39C73F8392430DD45CB5AA51CFD23CCA,SHA256=A581D742684FB3BF39FC658FDC839DC908990777E5D7F2157AAD392DB660024A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.882{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_malicious_cmdlets.ymlMD5=E33D2F20F2E7FAAB435873BE2170B17C,SHA256=243DD8CB79CCC031FA1BF26C4184FFE4CF951A6AA4C851B81103D89B0C2FDCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.880{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_ryuk.ymlMD5=1035A405B21FE52D5AAF8E44A4785636,SHA256=038E7CC23284C29F562C5FD7FE4DFD7638D62C9606C5F6F4FD4EB23782738E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.879{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_lockergoga_ransomware.ymlMD5=905093E5C12460DC99326DC09ACA4502,SHA256=26F9748D9CD4D4E5B2CCB8235A7F612A470F0CA9F6336AB8CFFE99D7BFABC098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.877{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_hermetic_wiper_activity.ymlMD5=5EC8EBC4B839582E39438C64140C3966,SHA256=8472A1DA920F11B68C529B2F273711ED7B1809E0765AA6FF9920D8B8E50E7FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.876{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_darkside_ransomware.ymlMD5=5849749CF816C9E8636008780864D67F,SHA256=611777FA3CAEBC7FA038556004E3BBE0B905A6EFAFA335A0A3EB15C5DA0391DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.875{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_blue_mockingbird.ymlMD5=39916C631FD2A14B711D7FF9068A8306,SHA256=1B36B17B41BD22EB796B366395240EF79BB1AADC9FA5704B5D9130A63FA474A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.873{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mal_adwind.ymlMD5=D193F9B62922EA7261874879D9D78EF2,SHA256=B618EB0862AA89CB114C8531F5D1B711FACD734886E266D6DBF745179E9E30F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.872{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_mailboxexport_share.ymlMD5=C8B4ADE2D2507368808DFF0BB6729563,SHA256=3301AD2023548CB7AC679C25889C70351C6C8446DD8F2F0D010CD5AAAFF5C419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.871{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lsass_shtinkering.ymlMD5=B24E19AEDF568D6EE0DF6BCAA07E866E,SHA256=938C7C2A4DDAD1912922871B4C9E191D6966F2A808821826DE7291A76F0CD01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.869{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lsass_dump.ymlMD5=1B677E94244B29559DA0DB1AC01027E2,SHA256=9F16650A1B99AC684F41A642A172FD7E993C4219CE16A786175E5BED8172ED54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.868{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lsa_disablerestrictedadmin.ymlMD5=A108A1855A9D6CB7A2C56D0986858605,SHA256=B813B7848069CF46855A566F47BF3A68BE249B8A85468491107005DFAAF8BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.867{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_long_powershell_commandline.ymlMD5=4B9D8BB37D5DB6D085BE24A6BB38E83F,SHA256=663848A7487BE000C6A7968185CBD08542F5C3812F497AE60446D1AA360EB373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.866{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbins_by_office_applications.ymlMD5=B344AF473780B8AF4958D61538607A6F,SHA256=97F207ABC4098E17187AB22892A0C95668084E6BB07B5B17AC27D57D4119EE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.864{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_wlrmdr.ymlMD5=87CECF5D5F748B64BBB76E184344077C,SHA256=0B0513FA9DCE7D8123F9BEDDDB7DB92F7DA847E54DD707F1C37B140C8793C01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.863{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_winword.ymlMD5=36C28D369233F02D90F1830E11D06E3F,SHA256=0FF33639EE6D8172212EA7B12ED4C4C444675428EFF51B499968AA0EB1011FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.862{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_wfc.ymlMD5=79DC1F054A43149223D3A5E8E55C14F5,SHA256=3F1AC111C9E17B21CCAFE602B892384ACC723C7E27A2E655A08CF824FE54CCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.860{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_vsiisexelauncher.ymlMD5=C594BD7A73E744FBBE4B11267054DE2C,SHA256=7F9E5871D320DD915D7F804F049CB2A95C64484C8A4698039F58D22D029EA597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.859{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_visualuiaverifynative.ymlMD5=0B327E27C8DFE574B9200EC21A9719EF,SHA256=83E99E8AB27EB2FF6E09CF6BE4454A1A53D02D9AD100C4D0AD53BFD6D69514E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.858{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_visual_basic_compiler.ymlMD5=08676704F98ADD4B4047B10F2EE129BD,SHA256=A35DDB1C96D963F852BA3FBA7B6DD7BBD8E787F6DAACBB8592158245B03AD0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.856{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_utilityfunctions.ymlMD5=1AE6A603B34D8CCD72B9F3B23B1C01B6,SHA256=9444D9AE70A5310B9B03DB44F05175C88A0F36AB5A32579ED463CE5B4D14ABCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.855{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_unregmp2.ymlMD5=C116FB688FFA34E88049DBF472B9DB0B,SHA256=EC6FF0C57FCD8B55AAA31C43F0FE604E4774C2796DF5537F05737ECE93680C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.854{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_type.ymlMD5=E98D5DBF12010FDBD164923896F5BCFB,SHA256=F80B7E097ABF4CD7CD20C0A7AE7DD7895ABF90CBCFB7C521A9BA87615D33B745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.852{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_tttracer_mod_load.ymlMD5=4B0CB3FE6C69C608E35FE00568CC7126,SHA256=F99464A00A65FCE1510BC51855EEF291FA26D1BC6C78A4936CAA98AAE45366AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.851{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ttdinject.ymlMD5=5FA0A51279454A4F78B8346ABD3074E9,SHA256=2FF4EBF362979627DF3C95B37767A2D539D8B90003BB03A4A6EC7D775271374A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.850{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_tracker.ymlMD5=BE2EFA03233F76FA319D957C4CF50C9F,SHA256=12638C616787BEB87E210B3426BD6B429C54A9BAED4AB0EDA2F218847A7A0694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.848{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.ymlMD5=79FFBC36CA718543D5ACAD9FDB682B66,SHA256=D6C322DC360E9A486F6D16EC56FEE04A324F4FFDCB99FB15EC748A97BEEA31D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.847{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.ymlMD5=BD42FC7BBF54A4C51C510E961F3DA884,SHA256=C6F302F6E522E5ED14D925C730643111634E2BD6DB37512B726AC4AB7AB62EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.846{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_wsl.ymlMD5=4E3029C30C3F0B61E0097386978DB0C4,SHA256=18CB42FFE2C4309F895818A668BDE8CCBBB720E41D9551BA4FAE142D881E73DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.844{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_sqldumper_activity.ymlMD5=079DFA24BB082C462E7C4D5B0C4924C4,SHA256=DF5A5DF272E11BBCE4CC16F834A18076EBEE6D57831527C8D22230285070DDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.843{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_mpcmdrun_download.ymlMD5=E92B6FFFE9EA0517423342BFFB81130A,SHA256=811AC1F5267DF049BF3B6878D3CF4B4695D035037D6D1051530E3A7F73E5E7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.841{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_grpconv.ymlMD5=10EAFD9E909E6B7C13C64CAADB285664,SHA256=38BDDE576577929136F43392E6B8F998F96764424DDAD7A66A77FD15CEFAA597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.840{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_dxcap.ymlMD5=E098ABD2BEE37D816B8AE13168D91F6E,SHA256=F9D1EC776B2B7EFB6491195110E1C6086D8065B1DF23F636C742CFE4D7B51FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.839{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_driver_installed_by_pnputil.ymlMD5=13D7096CA00910B156B57146A9C8ED5D,SHA256=DFE8AFE0416341138CA7AE293B4DB22530B07F962E4F640239C8E3119D9870F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.838{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_certreq_download.ymlMD5=2F35DFB1ED86542630B86D38EFF62EF0,SHA256=67C5FD7F30F34D33BA965C950D0C6192E11BDF7F8ED4AC67E6B95B954C077D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.836{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_atbroker.ymlMD5=2103EF3A06B7C3E353C8FD8667DC2A47,SHA256=4911FDD08500A232688335D0B1C53240AA3A7429E582B82DA3CA5E757A3A15B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.835{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_susp_acccheckconsole.ymlMD5=4F7EBAEA9A47FCCDACC505295BFB00F2,SHA256=92E929364B5991935000E30EABD590EDF2ED3D473A5B4EBD6BD85E7DB2C972C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.834{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ssh.ymlMD5=E9DB88E77F57BDBB10F1F5E27A51668C,SHA256=F95019880E442F82964C4075DD87B9E3610DC9841E0DCBB272E2E9C6CD1FDBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.832{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_squirrel.ymlMD5=4ED65B2ECEAB5BF888B324F4B20327C0,SHA256=3E80C60AD4B22ADCF0FE38FAD73F2B5BFBA1E2E17A5097D0E3D4F146D693F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.831{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_sigverif.ymlMD5=48F9507F580906C1B035B4D1B5AF2A3F,SHA256=E38A78612F1885CFB55A42B18D66A10D7E385F0E47F5F8A70B6DB87BBDA1856A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.830{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_sideload_link_binary.ymlMD5=C9731480F9FC06CDCBD4D344D4BEC778,SHA256=F33727D26FE80CFCB6EA29D2097E72179C50B6982229B2C94E1F5E603C4F9EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.828{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_sftp.ymlMD5=8A8769961C256D52DDE7C37BE2448485,SHA256=CBB7674E7FCB441E22DE71DF4EDA98BF7773DEDC1A7BD64E384B2D091D0BDF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.827{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_settingsynchost.ymlMD5=09A8E8653BF0DE3D67AED9CAAE12D83B,SHA256=3D6B5ADA57E5739F65F1882CBDC3816EE3166E78A45E55F4739DCD6688AFCC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.826{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_setres.ymlMD5=D50633FAC287A86BBC9824D8BD9B3070,SHA256=2BD1BD578E6ECA4B9B729FFDE0C5C58FAB09268E3A473F38AA375999C25AFF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.824{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_scriptrunner.ymlMD5=4A2CA861EE5BE78998C1528EF44E8C7D,SHA256=4540B138B0661AF608D974EFC077BF2470A8408239AAA0EF77A735C1B918DB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.823{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_runexehelper.ymlMD5=4B39ABF08D8074960F810C9AEE00AD9E,SHA256=9E05694D2EED5FAF5C64474C62DBBEC370FC7F32920DFB596515BFF9B5FB6F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.822{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_rundll32_installscreensaver.ymlMD5=7E0C1EBAF24C1373C33338D9F166690D,SHA256=6FA345EA0CEB560F6586820B2306D2D8708F291EAA890C87D27542B7B9160BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.820{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_replace.ymlMD5=4C20A7D4018C8D31C7DA0D6E6A52372F,SHA256=259A17DE806D9AD3279DEF8334C113C301B3AD9EE65957EA6374FE5F36C5FAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.819{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_remote.ymlMD5=868193E984C70966B2D447D5E5D84AF1,SHA256=B83804DA970C61D64B859D725F0BF1A860E6CFE7020EF9B2414FE0C8A106587B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.818{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_register_app.ymlMD5=A40F53CACE2D70DFC55A168DE0EC784F,SHA256=168A5D2F0C99B4B2FEE2159427F61ACD86067972A6262D483C7C31A1A08B6450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.817{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_regasm.ymlMD5=D63A6B2A577A2F0722E8DF849594960F,SHA256=11BB5B5B7AEB0A83218D1C8C578102C5EEC7D947C70A6E022045FA7935A993AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.815{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_rasautou_dll_execution.ymlMD5=6F9DB0582BEC8179923CF74533ED3C28,SHA256=5AFC4B8C5ED1CFD76CF672181CCBE40D440D78AA96C9FDC79167BB45BC147FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.814{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_pubprn.ymlMD5=F8BA58C6DC3622AC1CDFAF45A2AED705,SHA256=1D6659833FD153EC739C1710D7AE70482FBACADCF3A4D92DC0A3DE54CE687AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.813{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_protocolhandler_download.ymlMD5=CEB7979A782DDD27D94F1A74BA672744,SHA256=43DD0A7C39824CDC50ECE9CBDD2577D31EB228A26BF336312061F08318DC1940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.811{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_printbrm.ymlMD5=C809B5985EC5FF7973726A52E6B10780,SHA256=5C952E2B333D557013FD0450AF60DFE46067CBA8BC01B7AA1A88FFF917AA7BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.810{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_presentationhost_download.ymlMD5=E4226300A53F76E1FC4EFE3CA63C60F5,SHA256=B604C7DD24811305422A469EBD3A4800144643D10802AEF96908959AB9FEB6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.809{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_presentationhost.ymlMD5=9DE68F16E2A01A1DB2BD9CEAAF1E930D,SHA256=E5038ADA8BEED362516DB5E939F4F6C88CA693134EA42C80643894D78B348109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.807{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_pktmon.ymlMD5=59F36424E6398BCDC7005432D6BA38D5,SHA256=7EE67A2CA5B2E2743469EA1989E421BD1E3B47FA1FDE078248AF351DA2B955A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.806{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_pcwrun_follina.ymlMD5=2545FB66D3DA1917B892FE0E37643007,SHA256=83991CC0EE56B7A1B4F317B424FB3D20EA054FEC5C9326F3098991A46F932BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.805{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_pcwrun.ymlMD5=26BBE32A17997AAD218DF72ED2E2666F,SHA256=A767756A039B56A9AEC4188B4F52DC1952643B0136696A228BDEA6B61179DA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.804{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_pcalua.ymlMD5=967F3C5925910DECAC85E85DB845442D,SHA256=F140BD6A5BB25EDE1AA9757EA1E63E20518B5EADD5AB8820754A0078CB617090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.802{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_openconsole.ymlMD5=A3554C6E1348553DFDA5619A7ED5B1D4,SHA256=3B5BF6F9F4B6255145AEC67B8279BB56258BE009F348B3F78E4F457179EDE8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.801{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_offlinescannershell.ymlMD5=D79BD101EA751C9A1195AD7D51474805,SHA256=5212C689100A671588B89595E6D64F07975D459DF8B1E2AB6159F6E394DC702C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.800{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_not_from_c_drive.ymlMD5=F168451153DB7BA286B35C837150B4FD,SHA256=20801B345C833F40417FAF123AECAB7CB4BC2CB4E75B0A2F1CAE55D968E2E224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.798{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_mspub_download.ymlMD5=341DF48F54F110B1BEA55A71A2662C9E,SHA256=D18F3D5D75B69A3BBA457EEDEB1E9A16B81E68EA4A5D309CFCC4DFE376A32E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.797{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_msohtmed_download.ymlMD5=F1F004B53EE31557327AFF239A9CD52E,SHA256=E78CD725E5443AE9A0F7D0A5AC8FDD2F7C148402794A81A465A77000C6B5998A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.796{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_msdt_answer_file.ymlMD5=ECEC844D094221953DDE9193474CF84E,SHA256=C077DC9758A4A0AE7BE8BA1B2D02851D042E59ED62EF9E9609377C925B8B52D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.794{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_mftrace.ymlMD5=D172A86B0D4706317BF0ABA124A8BD83,SHA256=367825245D62892C2B16272374E580C6CCDA0A059F4471D5780564C59D8D4C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.793{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_mavinject_process_injection.ymlMD5=6ED09B7ECC2C2C67FD50B5080E5F47F5,SHA256=0CFF5928C1431184F33BCCAC167465545F77034F7C88E5B542C4C838373EAD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.792{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_launch_vsdevshell.ymlMD5=C80884B0436D6A7AAFD3DC3472B6FB08,SHA256=3A77984B0F69C17F22DB3B380295378F3A6A7BE23B2D675061FA0FD8B579D239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.790{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_kavremover.ymlMD5=313B17C2E29972AA168BB5F6232E8B1C,SHA256=76B368E1BD749CC6443CCC696A61D3711A38642612FBB954A4F0F82D647672C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.789{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_jsc.ymlMD5=BBBA35536AFB550F94D091DA0106E6E0,SHA256=C053AFEEF8519EDE3F940D5CC03B350324D1B1A3561492FEE0891302AA0A222D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.788{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_installutil_download.ymlMD5=9BC980910B587E124A51ED6BE65BC7E5,SHA256=C25E4A0EA04A85A41D4BD66FBADB6B25931EBB75E9EFBF94A7DDF6D5E03C0207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.786{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ilasm.ymlMD5=AF520C1B36298D916ACABB2C795E20F7,SHA256=50A87C89C60088ACCB9BA949708A13D33CF2C841A969EBBA8476768FCDEF805A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.785{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ieexec_download.ymlMD5=4955F700EEE0817B6021A84ECEB67261,SHA256=3CD789E03919AD9CC4A6397AA2B2BF7DC43CD123867FB1E08C0FE413332DD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.784{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ie4uinit.ymlMD5=5AB85EC68ADE54E4507126AAC3EC6405,SHA256=652C7AE4BC05BE31E96DBEA9269BE9C41EAFAE4EFA5C1455588F0EDC8A4336BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.782{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_gpscript.ymlMD5=A414B35E33D52230D6B893F0798850AE,SHA256=CC0479929D4A11266317B2D197EBB79A15DCE64803D211CDAC17854ADE6D67DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.781{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_ftp.ymlMD5=2C2B8C2746F7C30888EB47EE707BB774,SHA256=89CA9CAECAFD9CBB3EEE653068C972B8D207B848EE6D37FF4C8A30CB27FB488E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.780{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_fsharp_interpreters.ymlMD5=D3243FF1F083DDD867D0D412A619BCF7,SHA256=B4EFFFD82DDB455E495E52346361DAA23B105CFAA6B7D21AFB397DEFD2F0A6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.779{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_forfiles.ymlMD5=A04333A60AE82C3EE6F9D6FC98A56E81,SHA256=AE0FFD026EFB3E0E3D33E39109A36E15968C6FB8280A06C876917C6A8C80BA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.777{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_findstr.ymlMD5=DC09AB5C45B2E9182DF74A3FE541B670,SHA256=12D5B94E234C4B3A294A39DE83D4BB877A95CCAC12D1D0646918C3075A1ED761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.776{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_extrac32_ads.ymlMD5=5E89921266A415CF03A36080F7F04E3E,SHA256=F802003855ADF95F271E348C7F78F36F3DAC5AEF51B87A9F38ABC2A6089BA922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.771{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_extrac32.ymlMD5=25A10B6D4437D5B48C8CB0EDEAD72BE9,SHA256=9E4286828A141873B26AF9A1281C4BA88EDC47F4B9AD325B967160D03089F578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.769{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_extexport.ymlMD5=442D5ACF25EF3B1A6C34A9448CF8C924,SHA256=AB05370E3E35B80C3B80411CA72D879DFC4F8C88C342E65D3F0BAAB7562367F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.768{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_execution_via_winget.ymlMD5=D063D7BCD2D0BBDE2D6B7DC1EA1C6F96,SHA256=05440F32F5879946BC5E59BD6278962D76488DE95E67470F0080EEAD0488E438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.767{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_dump64.ymlMD5=AA10687F310B77098C9B0650F0F195F6,SHA256=BD87AE1C8FAC2F7F3BCA7048F607DAF03C65257E6610BF35CABC856F42A6B46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.766{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_dll_sideload_xwizard.ymlMD5=69373C9918BFB4A4840CCCD68DD53753,SHA256=B8DDF40D6390E90A69776DCB7E40D6C091306DC8BD848EA3663B70CB0E50FE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.764{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_diantz_remote_cab.ymlMD5=E58A1CE75793342B1EC0E822BF0C0D05,SHA256=3ECE9E8CDD198BAFFD47AA29523E962A13F8692E7A8AB1E7736C9627F81E64F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.763{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_diantz_ads.ymlMD5=EB5A1607D9833682A5A20DB082F68ED6,SHA256=5AF2EA09A11AE364D1479BAE195BACBBC43A17301A31C79108C80642703FD663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.762{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_device_credential_deployment.ymlMD5=E6807D65F4BB4C2D7578070471B73E5F,SHA256=FE572E4690964E680D4D1653000864ACCFAFEACD7832D8133BAD66272EC9A7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.761{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_defaultpack.ymlMD5=14411BD55B22D293A873A85298C4EDC5,SHA256=D84B044337256372014A2F2108832D2D600267FB6C68719EE09C33F96F51C6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.759{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.ymlMD5=499871820DEF4F349E70CA7DC717ED6D,SHA256=AB46D288419D3365D28897C4FC0199C9A7DCF918A7D94DEAE66CA017BE47D1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.758{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_customshellhost.ymlMD5=57C79455F02F48AD70B47188E37C101B,SHA256=768F8988AC610E7A2A66AD4FB27114D24AF5714E50182726B12C21BB4CDD6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.757{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cscript_gathernetworkinfo.ymlMD5=868BC6D4C3E79B452F187D3A7DB4C4BC,SHA256=82F711A821F988B98691509281662EEE9262AEE39643BE0EDD5BD49E6A9D4E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.755{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_configsecuritypolicy.ymlMD5=B9C57DDBF76C828C528BE61ADC1C767F,SHA256=3232BDB2940F687C77A7A08AE50442BB182B4B5CD6576DBDC3173C99F20DD8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.754{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cmdl32.ymlMD5=048F4FF060455A2DA4EE2E9F5763BDCB,SHA256=DCFA452832029F28D28241D326F3106BC40ED9ECEADB2979E24AB50703BE56C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.753{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_class_exec_xwizard.ymlMD5=A43DCC53324837754E06DAAB6BAE5683,SHA256=D31198140FCF2A5F000C0EF8540D8EAF75664C036A0F82DFFAF99A9903E7B6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.751{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cl_mutexverifiers.ymlMD5=4607EF06AB94DB8063D252D2833E5839,SHA256=629C519C34C5A52C8F6DB3ADD5534F1EE2133E5B120E4550B566CD42289F9207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.750{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cl_loadassembly.ymlMD5=BECED15C8BFBA19F02AE8D688F3AF39E,SHA256=08E56EADB2DA0FFD55EA2F0DB9EC7C2246A263317B2656090E92056BE84DA1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.749{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cl_invocation.ymlMD5=399CC9DA12A682057D329EF16A5DF25D,SHA256=FB9FED820F320AD9EDF902C5369E44EE8228A7CD4052956161D22784132C7F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.747{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_certoc_download.ymlMD5=347FFA7826DE02DA6C15B96C497070F4,SHA256=083D67B21A10FFD0DB76A415BC5ED89F57D2A215167845D916D4EB6FDE7AA3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.746{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_cdb.ymlMD5=F152AD6D3D1C1A7851929B2225A5A961,SHA256=985FCC8980EA93EB180EF29E26557686A40459DEE85439F6317534ED28555479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.743{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_bash.ymlMD5=A0F94193DF4BC1612681F99739FE5058,SHA256=5267FF7241C976A34E01DB53C7A5514773FBB9A694EA11EC401A1AB43C111E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.741{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_aspnet_compiler.ymlMD5=A025A016C4C98B5CF166C26F37F1AD1B,SHA256=EB9A3EECC4BFA6AC8E328D2B8AA71F71F4B4170344AAA1E93CCC7D804A1283E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.740{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_appvlp.ymlMD5=476A82578D69DFB2DCB23CECA49A3D1C,SHA256=D10B4BABD2DE00364F7E1A68E91A01347526A33B19D974A780F3A4905E6BAD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.738{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_agentexecutor_susp_usage.ymlMD5=7365BA91976A76E29EE57968F29FC260,SHA256=8EBF93D5D539938B4B23E1FCD03F1277FADA9F85D1FC1C69C6CD11397EE0DE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.737{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_agentexecutor.ymlMD5=DC2C7046A660D408E33FA92252CC255F,SHA256=E33C282967EA3739756538182CC8FEF3D797662043DA855E04D2B8EB4D9F297A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.736{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lolbin_adplus.ymlMD5=D5D053B75B0BC3AC5514512C23B7B852,SHA256=695A4AFFA291ECFF850B17FEE545CC5CF51E8D20B01D0BE64E1688212390804A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.734{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_logon_scripts_userinitmprlogonscript_proc.ymlMD5=F5D8483CFCF0450F57477381EAF74947,SHA256=A04164DAC573EB1D891AB7CAFFAFE9E59787E30B1A31DD5F49A5BB7C9CF10A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.733{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_logmein.ymlMD5=57D2BAF26B8669EAD412936B02574DBE,SHA256=CF8E8196EE5117A13286FCF0EEA0813633FD9F683BFE494E1D5C77C7C5A655C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.732{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_local_system_owner_account_discovery.ymlMD5=1CC4D57AEB34519C105B929F322DA0D2,SHA256=329A34055731451C73E67245F45C4F19E7436A3C3BB9133C285B3A32C3F270CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.730{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_lethalhta.ymlMD5=33399D576DC963C2CEFBD8945C9C2907,SHA256=EC54AD05D49BB44CA75841F73D9BBBE1F3BC0F2D471A76E52A09D629771BF9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.729{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ldifde_file_load.ymlMD5=354062B9C6C514A2FD1B106EEA0C5F9B,SHA256=E0077D6BFA1717BA11C17BD5A10233FF9FE4DA21F0811C20C6D208772B7E74D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.728{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_jlaive_batch_execution.ymlMD5=0C17621B866C7338B460CEDF3DC7587A,SHA256=16D68ABDD8A619748C4BCAE452A5B70F87DC08BA6FE906B73B98EA6E0CE41449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.726{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iox.ymlMD5=C94306811A945431429ED83A1DC30C8D,SHA256=9A9B11D94698E5A4FCF7E853EC4E3CBE7AD60255ED90AE8832036B0FE19EB40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.725{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_var.ymlMD5=46F2BADA96D2E4CB942580E064618C9C,SHA256=9CF22658DB77F7B01D8D77E5927649B1BEAEAFC0581B1962D3BF1AE7272E6BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.724{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_use_mhsta.ymlMD5=4299D614F783B3907168474326BE563F,SHA256=FEA994976DEF47245B86E481D9628F824DF2352B4BC2508D1ECC60D7E17C8CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.722{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_use_clip.ymlMD5=DD8C2C1BA4C9C5D29A4AD091BB7973B6,SHA256=40888830722319C63A8EA9B3DD5AED124CA49E49EF6650CEB6E7D3624B81E68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.721{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_stdin.ymlMD5=C4D2D407D22E1800891BDAFC1CFC1BBF,SHA256=E482A1011BA383D24D92FE2605B64B1792AC68DF2DF7E3C68C0E5A585E0D9688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.719{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_rundll.ymlMD5=158597F744AC1DE325CE20684071117B,SHA256=C1CFF1CCBBB199FD513E1BC32F4CFF26E4F77E61FD7F14E67D24004219465807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.718{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_via_compress.ymlMD5=B6186CB3EAC28CE84882AD0922304C91,SHA256=2C5E48A7D8CD7316AB464557B408D1D05769A22D7186ECD6771E09D878405E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.717{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_var.ymlMD5=C330879702352C5BE0F6D9F2104DD01A,SHA256=28F786D055F7A21C523876CDFB02BA92F1B7E2839366D2C797563E3C90B9ACC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.716{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_stdin.ymlMD5=07E71FC0E6410CB66D278DBEB1486E44,SHA256=446C4957FFCDA73A66DC812B62C90E070A9A927553264D36F072C20B61CEE971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.714{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.ymlMD5=D03BEDA427237C14118B4DB0A929FDED,SHA256=7C20861B3320C4F850EDFB8C5419C3CE907D3F9B07E96708617D0B8B4524F164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.713{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_invoke_obfuscation_clip.ymlMD5=050F599C66C8100E24A3E5A5947E157D,SHA256=10F3233AFA53E06030BADE42EE5EBB9E4179A0534A552FB54769816607F1A563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.711{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_interactive_at.ymlMD5=A337BA85C080A89F7C901AB9903A2D3A,SHA256=2091C7337055B5032E3513B1DC34529807D23AF9280771526498C95F6BF0489A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.710{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_install_reg_debugger_backdoor.ymlMD5=B1A2A0C83BF6F2FED691B45D82D67D6A,SHA256=C0FC84EF834B5A1590EA28489E5346B3E836C196AD7EB99C8C6CD135249831A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.709{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_inline_win_api_access.ymlMD5=3D0134E2B929444E68BE4A4F87DBB29F,SHA256=C38CF3E31232AB396EBE2389B40C0C9BA67D89489058B8EBEBA790D10EF0A009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.707{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_inline_base64_mz_header.ymlMD5=CE8F199EA78F0387E5720C1BEC3B7F87,SHA256=78972F42F3F80D79D47E68FFAE79A0BF65B7AA0A85F3FC209707BAE5C4126866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.706{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_infdefaultinstall.ymlMD5=7FB147A9BE48000C0C11EECEEF75CE2A,SHA256=8DCA0C894DD330547BA7749236BADE969040BEB105BE914B687E94FD5E429055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.705{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_import_module_susp_dirs.ymlMD5=D169392218BE0A3EEA0AABA29C9BA8F0,SHA256=23878371EFD4B2623524BD0C5A081B5B33F0E220D2F88A20F01F22893378B7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.703{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_import_cert_susp_locations.ymlMD5=53D615A1E5E50B0CA87BF43F73EE3F25,SHA256=BB97D10374D86575BDF5A1A971F973DC74C137B1A23E8333F7CC59A192567CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.702{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_impersonate_tool.ymlMD5=8720FD7F331D4D8F84704ED0F5983F2A,SHA256=3A01F5ADE7E2E165FA7C16B3E91458CDF785C6D2E3A1D6D24A89FD224DEC012E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.701{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_impacket_lateralization.ymlMD5=2E4CCDE97158D870B544A0D93D7EEAF9,SHA256=69B5C928C947C84C76F320E3FD09C78327504E84009C820C4766A4915C6AE841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.699{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_impacket_compiled_tools.ymlMD5=6704B2F88B4F78CA01C10D6C722FF1F3,SHA256=14E284EC0694BA5F46301C5DA31630DE70A6C06C92F099689D99D7B71E8C1C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.698{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_imaging_devices_unusual_parents.ymlMD5=9F8419E9707099E252BEE80F7DA772BD,SHA256=14D28704018A01ADCBD1CC69E7A706DBA950E0A3D046477934DA01D002B3E572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.696{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iis_connection_strings_decryption.ymlMD5=3097E933C992B3A398A51E0E1B3C7C0F,SHA256=5B314B9F2DBA8EC50846526A1969AF4CC7351DD0586183D139AF106FB2FCCE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.695{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iis_appcmd_susp_rewrite_rule.ymlMD5=A96C45234D6AC9113D709BF19DC3BACD,SHA256=6477054422CF37BA6C94127DF0D96A3297F746320531DE93879028940A4144A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.693{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iis_appcmd_susp_module_install.ymlMD5=FFC21679429CA89913085F0335DE1B47,SHA256=FA14B20967095C4BD1838F912BDF7D515090ED7640177191DEA3B8EC2949207F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.690{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iis_appcmd_service_account_password_dumped.ymlMD5=5CA510BFB2AC805ABE0FD8E4D5EF696F,SHA256=E94EA9CC6BC80B126A2B33B4D302AD3FBFC63904C2E07C53BD0A843B112B07C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.687{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_iis_appcmd_http_logging.ymlMD5=FDF159AA02ADA01EF166A4C908188B4F,SHA256=4650ECA5D673E805E54F0FE58EAAC61DB3E80F92D30ED756A261529E7BD47A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.686{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_icacls_deny.ymlMD5=DB28FF5A5EE04C690DE8D25333937DFF,SHA256=F75BBEF1A6D1153F7197CF2FFFC5E74A9CEB127AB8984E5AED478B3AE453E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.684{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hwp_exploits.ymlMD5=7AB18623EE518CACC5B278142F3F6462,SHA256=89264BFEA28CA0EB1C1025709264DE37C49CBB3930A1362349E181517A5F7099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.682{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_html_help_spawn.ymlMD5=109F2BE0684CEFAE161ABBA32C74DEDE,SHA256=CD0E925CB4442F5CD34F2877E34C5E2D3A8D89C7AD119D8D3BC048C5B9172237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.681{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hktl_uacme_uac_bypass.ymlMD5=4E0B5A71F2FF94C7DD308239D859A16A,SHA256=7039784CB4C6D0F9DB3A404CFD2EF5DFBFEA3A8F78FB341FB0F6EAEE740D8237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.679{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hktl_createminidump.ymlMD5=AB2912F9C4521E3C7ADA9B0EB4936715,SHA256=5C0E5B53A94EBA2358F7612C76DBAE990231BF2666A614846A911817F8857EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.678{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_high_integrity_sdclt.ymlMD5=FA42F90502AC27E70815BFA04B520249,SHA256=7D186367074810E75833EDB1D7FDFE93CABBE86F03FEFFD59AC3651639F0D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.677{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hiding_malware_in_fonts_folder.ymlMD5=B07BA67610480D7B1D64619F4FAE97AF,SHA256=EAC24C97A2F6B3368E2E8412B27392C25A429D033BB2E995B07C52BC492C4868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.676{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hh_chm_http.ymlMD5=B409F7A809E23D62966DC0E8534F2B93,SHA256=8B9C9BBBBEEEC9168733708CF1F88F9C1DC813A630698A5CF7970B3DCC6B6E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.674{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hh_chm.ymlMD5=9F3A580327FCD26373D70F1B9C3F3B7D,SHA256=B35D4223206AB854874B5A760587CFCC3680860EF249632E4BFCC8C03F89949B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.673{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_headless_browser_file_download.ymlMD5=043E6E2E0B95D6C34E3964E25EB0A652,SHA256=B566AA95B82C9B499CCED0A804A6EEB6A1ABDA93876A84F97313F50F6A5B7CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.672{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hashcat.ymlMD5=9F9E157FD31E01845CAEB5B6B4341AD7,SHA256=9A89816425C2A1BA5478EC5A6C510ED67186E4CDED5E30C5C3EF37C8AB73BDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.671{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_handlekatz.ymlMD5=8C6EC7D00B95301250B1FE843C1F1407,SHA256=877A40684BB09E62A458C2DA84BBEF1FE6AB1B65A8D9B801568F1F5DE4DF2D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.669{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hacktool_imphashes.ymlMD5=2D896076DA8B876FFE7C9DECA1D97BCC,SHA256=D45504814C8CFDB650211EA37F8BD26E7500F262C3A2397FD612A329F1F231B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.668{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_wce.ymlMD5=1757091C82F92E942046D86AF8467086,SHA256=C0EA06723470EE39A0A317394C091298E427B6948383BF3528E4F387E0F97717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.666{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_sysmoneop.ymlMD5=1A530D888C4E3C2476C9EE86EF111A4B,SHA256=6404B60C43AAC5096B2B4D18FEC70176F698736572821531E82783EB40A7F281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.663{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_sharpldapwhoami.ymlMD5=00F8AB0A5E28E79FA61AC59B2A28A984,SHA256=FE7164BCD2C7233D2EB21A8BB543F7B7F75931185B0094AB76C0D9E786816AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.662{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_sharpersist.ymlMD5=EB0F8516C90741626AD0CE8AA5991F4E,SHA256=3030A0AB8E67B61C6B2CAF3AB69350DD3541724C6D3C07A6638A77731336B1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.660{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_secutyxploded.ymlMD5=2DB8CBD26F27A64DFBD579C0FA360348,SHA256=3C33BA9BB3648299583C5D508EEDACB079E6D3D7484D128EFF75332E910EC4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.659{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_safetykatz.ymlMD5=7248A16E85A1C84D81C979CEEAAE2CE9,SHA256=99C9B70FBB50182469B030EEACA7F44AF0637FE6179236B178F2EED8FE6A028D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.657{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_rubeus.ymlMD5=CD8FB949706B0408D6A1DFF8A0F1751A,SHA256=9A9BA642132473386D2E373DEE97C543C57A8FB1986FE07465DBCB59AF2A534A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.656{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_krbrelayup.ymlMD5=8AABBA6E858C6968DD5CAACDCB8769B6,SHA256=A877AE7D9C42CE538DBAFB73FC2ADED8E570E92AD42BC58ADE1833A26BAD611D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.655{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_krbrelay.ymlMD5=3141311FEE9D80E57F4B755EFA4B65BC,SHA256=9CF57B2F870059D95E5B33800114ABEEF49A2FB602F2B4FE1A206F60CD391BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.653{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_koadic.ymlMD5=C3FFAE65BB8CD802821327E893F63C35,SHA256=FDF554F8FBE89E64DAE4F4E71C9F432AD2DFF58B027FDA6F7E4B59FF88A9F595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.651{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_inveigh.ymlMD5=8A2C86D347329C707AB458D287778EED,SHA256=C0C9A3BB3BB6F9F503ECDCF4C36ACB59F605698B44A4D85249B7FAC722C3623C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.650{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_hydra.ymlMD5=6354F813D6766A386E615DCFDB344D11,SHA256=7BAB83EB199E54F6492D16556B31B7D7CA81A986C3F612ADA2CF9888C816C639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.649{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_htran.ymlMD5=7FBBD43EFB0BE5736358E8FA58727EC8,SHA256=05D22EF2631BCBACFD3A2B37B80FFF20DA185D56257281C1F837C9F5AD340932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.647{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_dumpert.ymlMD5=50308DD5CCAF9E8B7D764892F95A4697,SHA256=0AD2A8E72C5CFDD33E3D9BA7141EE7CE22D4CF03E83947105725A7650A667A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.646{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_cube0x0_tools.ymlMD5=3CD92E6D462082B47C42E0135C2E77E0,SHA256=18F0F0B6B5186FCB3B64BB86E6C9AE59D4C1BE1DE467D6972211F33B53ADE294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.643{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_bloodhound.ymlMD5=773B86890024FC895C9C6CA4C02F56DD,SHA256=A7A0E0296EE18A5127EEDE6FB21076BAF6543BB4C392013071152618AA3DF083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.642{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_hack_adcspwn.ymlMD5=99906240F8504DB0C0C6489059111EE2,SHA256=96A37C8910CA0B161E2E2FA7ED34D4445361462A8B8648150C69749898390FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.640{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_grabbing_sensitive_hives_via_reg.ymlMD5=8A15ADE49B347F43A34C96897338142A,SHA256=7EF6B56445D9E07AE74F1BE64F74BF16623A7C67C18B6A9BF445EFB682C76B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.639{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_gpg4win_susp_usage.ymlMD5=B479D9F7D88319836F843EE90EB0B2E5,SHA256=208B43C684856A054AB1EE49FBC2D156B30896E2ED8880DF0C8B74065B2DFFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.635{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_gotoopener.ymlMD5=A36E8D1BDA72A39072FE95E9110A2984,SHA256=B377996F3D6BCE96C209224A28A760F900C81BCB82CC93CDC08C6783FA42ED17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.634{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_gmer_execution.ymlMD5=D74752CE0010C297E2629DD6F3F7FF27,SHA256=7C1DDF90E39AAAE89CE6944169D9FD64D6546061910B395565D1DD5B082A7C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.632{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_get_localgroup_member_recon.ymlMD5=CE41904D337911EFB932B619776AD053,SHA256=4164428CDD3FDFA828D6F47AF9F0F8ED1CF30BF0C95E17B9D49FDF22C79A18FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.631{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_fsutil_symlinkevaluation.ymlMD5=56B57E4E07D51E2B31BD0101968034BF,SHA256=F6D09F656DE49A3F5DA273085033284D5DC02FEB635CE4DD0A9594901A3A2AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_fsutil_drive_enumeration.ymlMD5=D701830E5FAC3531BB2850C79B1C7F38,SHA256=DB4F7485A37B2A2A5B607417050EEFD7A18D141A287BFF188ADA85869A55982D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.628{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_frp.ymlMD5=398699E995960C3A48C7E6B1FCF22407,SHA256=7403BEB688AADBBB715CAA9B716CED4376642F34688F030FEC21348B98243E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.627{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_frombase64string_archive.ymlMD5=A72461EC4E2A1C87634D9351B82A8FEB,SHA256=728C6DDEDFC59D938F04997E5FA753239B43C63600668E4DA55CE14D892152E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.626{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_firewall_disabled_via_powershell.ymlMD5=98A935EA53B8A918CCD505039859A6D1,SHA256=486B6208A2A1F1AF135290A17421D01156FEF92B3181BFF081BF8934EB696EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.624{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_findstr_recon_everyone.ymlMD5=55AD84C368D3DDF5354BE55B236A371B,SHA256=3B3ABC816BCD7104DCEE48367EDC582F5B76D0CD07B78311B7C1F8178D728C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.623{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_findstr_lsass.ymlMD5=01C453C7A8316EB9D4E2AD5A496D9699,SHA256=F2D5D465F0E07989A808529C7756C4DEB1038A0AB26EAAC9A97B579F59F8DE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.621{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_findstr_gpp_passwords.ymlMD5=4EDD0D1AACDA48D9C638BC916C31E17E,SHA256=35BAE820CC940655FB19C3CC2A5D8A20F5B44786A43B2961D7ADBA832B827E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.620{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_file_permission_modifications.ymlMD5=F8C8FBEE23B67491300944658AC15FA0,SHA256=B6661422874119CBBF9B49064A74A087BB0C14C74F52847DA74F345F65A8D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.619{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_false_sysinternalsuite.ymlMD5=B41DBCAD5A9A35739BBD7D740D59EFC4,SHA256=0552064A9CF50B9B04BAC7F4DC6430E064375179C2D14D179DC054190146C1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.618{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_systemnightmare.ymlMD5=F04D78F35DA58C9148F485122E1341ED,SHA256=AE57311EF299DD55CA3646B96A05906BDC60ECA6E4D5ACDD1CC01D335F459413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.616{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_lpe_cve_2021_41379.ymlMD5=E90F6D227660BEB55DEBCB3F48D0FDB5,SHA256=3E7AC13A8889A8C231C0DF439BDB1AB499B0FDBEFA201E2FEECF6E2112FA4479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.615{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2020_1350.ymlMD5=84CDD134AC242E0FC76C991EAF354198,SHA256=DE76929BE159D62EEC8BC3877886FDB8B6F08F8403DBB15F7448BEF2EF59ACB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.614{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2020_1048.ymlMD5=DA154DF89D6751DE0AABF9AA925D87B1,SHA256=EB982D8EAD9910DE357945064E226F7375B36833F9A2F6640EBC692FEAEA1C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.612{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2020_10189.ymlMD5=C5FA233E8AFF2D8DCE4E1467F2C5B744,SHA256=5ED67CD1C136390D18D576A74A01E5183EBFA8B4E8EE15D5DC57B3B9A910BB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.611{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2019_1388.ymlMD5=C1312684A4B1F4BE7B03726B411BC96E,SHA256=2FA99163AB88505867A9BAC00C489B7734B669743895FA791F3E7748C4C08A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2019_1378.ymlMD5=D8A3B79B38B59400B3096C427A9C485A,SHA256=3329668DFDD5FE4479B1828D47A6AE379C223B01ADD891D93E0CE219C3FBA29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.608{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2017_8759.ymlMD5=7E63456C8BC369A87088FEF6964FA1EF,SHA256=ECB3BC73AAF6D71642CFF825C1CD0E85B15A6E3534083896096FF70EE09B314B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.606{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2017_11882.ymlMD5=FD7CCA0C380787BF40938786255409F6,SHA256=DB20ADB176ACDE1C8DF20EB8273C43279911A4F0B4EAADACD59D8EE0EB7254A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.605{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2017_0261.ymlMD5=456D1B02580018B406E37E59DB607ED9,SHA256=36E99DEA435DC78AA5591F94DEC2D4ADDD2558DAF7A9D13A8DD1F6F4E3D3AD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.603{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exploit_cve_2015_1641.ymlMD5=10A142BF5A30AFB6E9209A4BEEDB1B77,SHA256=EBE0D96884021277A07C8717BEA45D62BC362F0C1A6D7A6E1C33AEC3DD221377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.602{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_expand_cabinet_files.ymlMD5=4EE3EBDE1EC8C1EBE9804EDB4C001487,SHA256=DA935264437372EFA8325ABF95A9C20AB5B16E7625CB6D28EA0E5D1A00E87316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.601{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exfiltration_and_tunneling_tools_execution.ymlMD5=FD3A7BD6F7E0D95F183AA38308740FE1,SHA256=647068875A62789EF51FB971A748D1E2C5478FA72C1BA073A417BF082CC8BAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.599{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_exfil_data_via_cli.ymlMD5=2192470E375A08B66F2BA8277915BCA3,SHA256=53B4EDCD4D5BFD6A8292B7C4BADBC88FC2F605A958459B5D6014417DFA02CF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.598{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.ymlMD5=4CF0FA445B61617C445A4A75D6BACE59,SHA256=092131E1E8ABD8A565431C0131D228AD08ECBF2E56AC5F2DA4281E4E30E3C1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.596{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_evil_winrm.ymlMD5=AE00BB32A4DF3573C3E4791D2A112DA3,SHA256=0701B98AAA4CE3303C66076AC608F503F1D2796516B8A9851570CEB581D6C394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.595{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_etw_trace_evasion.ymlMD5=3A499A77F6291A1017A0344D47D31FFD,SHA256=A09BB19E6DD1EB984FF0245D9F705BDBD7075E0CDAFF54D4E72F9600564669B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.594{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_etw_modification_cmdline.ymlMD5=2DED5800F7EA843AC934ED3CE6AB08F1,SHA256=BC3C9F7D1E21987C7D0391D3D64FDA7BB2617D5A379C180F83D28CA0784E9636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.592{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_esentutl_webcache.ymlMD5=89A251CABD49C0622F8938C5AF90D313,SHA256=1596BB88F73B2A41DAE522036A56B7E7CFEF5138A385038EB7D6DA37D63CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.591{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_enumeration_for_credentials_in_registry.ymlMD5=D39D8F24FE317C379348F331AF27FE54,SHA256=78951A8D21CD8AFA2BD86F955D4FED6A6495DF28F993DCC6ABB5CBD0B8DF3287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.590{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_enumeration_for_credentials_cli.ymlMD5=254F326BB2BC3FA5A0DFD60786EEC4B2,SHA256=7013C161EEA32D81F9AE27C43A2EE53B22A2D3AD182DB49B9F900CE38BE0266C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.588{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_enable_susp_windows_optional_feature.ymlMD5=338FD86F02B7D5D1C1553CD2A7F7DC90,SHA256=69F7286E753805C8F722B9158C146877938D7A9C1BB43E64A34DA79C88CC4CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.586{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_embed_exe_lnk.ymlMD5=711F76FC83AA8DA3CA493B1D5FB8CFC0,SHA256=9520EC964CBC8AAFE4AFD6903E54C403E6BB75402B7CB0533E61039CFD57ED33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.585{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_email_exfil_via_powershell.ymlMD5=C9FDD3A268B74B1C18867994A8E93D0C,SHA256=75F18D17A7E261F6DF6BB2E9053D5E9E1ECBC2CC709B1B6AE82F35492BB2CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.584{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dumpstack_log_evasion.ymlMD5=15D5CE0FAF9E1DA5BC7FD1922EA8DECD,SHA256=66303255F8D7DA51C5B09EA3DAD7D19D6067C2567E1360FEFE97CAA6FD9DDDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.583{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dsim_remove.ymlMD5=3813FC1CBA4B2C9F01D415FE1456C9DB,SHA256=A30A818CC638127A3828D2C894602B60C62A77CC01907B6C804996C960C5683B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.581{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dsacls_password_spray.ymlMD5=1F4D94C05D125730784AA86DED99198B,SHA256=98934A28A3DCB2726B500879C7569883ECE42AED4E059E322F993E80BC9D5C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.580{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dsacls_abuse_permissions.ymlMD5=CAB4B04149B7FBF8D4946EDFC61F7E42,SHA256=A3EB70085228E1D037FEC6096B458A1D0E6B568621DE44B1A2CBB1ECD9D555B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.579{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_driverquery_usage.ymlMD5=82A571E55D6F9900FE44FAADD515590F,SHA256=70BA2469D41E873AF362BE5C4BC514094C60244A6E36EF712DC9E6CD77B39EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.577{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_driverquery_recon.ymlMD5=A318A59364F695C0BC986FF6A1460E72,SHA256=405EE54426963736F011E376A3C5E87B099D8BC43012DFC9D78A5863AEB31D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.576{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_double_ext_parent.ymlMD5=834ADB3DA593D455F8E320C6B0FFECAC,SHA256=C6418DD12E5358FE285F21F4E08B5995B0639991A17FC02D030C2E7CC7865CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.575{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dotnet.ymlMD5=198601B8DA27A3B2D942664D67230E9B,SHA256=0B579EA92249BB0B406DF8D6D7E476C07CD0C35DEE3C51DD507098C934E8D2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.573{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dnscmd_discovery.ymlMD5=F783A4D19E36FA3D80B6731C6427C9AC,SHA256=222998B9D2976150C863B25348CA72FC1AA1156DD6C5509F7E3F1AA9ED52EB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.572{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dnscat2_powershell_implementation.ymlMD5=EFFD485560ED23BCE21B112E6209D6F2,SHA256=26B5120BBA4430136596C4A4E57DA743B170F54EC3C2F54CA31F5550C9354E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.571{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dns_serverlevelplugindll.ymlMD5=2E49D2814F38BAE9AD2E2E86BB8A485E,SHA256=683149C5CF1D3F402CE9A521A7F14113E0008D82BA4D752FAFD86AB01053E256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.569{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dns_exfiltration_tools_execution.ymlMD5=79E8ABBB0F4BBDFF7D15A5EAC1DEA51E,SHA256=1C5D54BA5093C141EEE9955AAE30265013A26779B5DEE3F7643D0A01824ED9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.568{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dll_sideload_vmware_xfer.ymlMD5=938DD24B0B190AB42D9635682230E2E2,SHA256=A1FCA474455A7238686CF889F2BFF5AA3A4EAEBB39E851D4A1637587EFFCDBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.566{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dll_sideload_defender.ymlMD5=E9976DD509A45D9FF7F2E315854F1357,SHA256=024F1C27DB6857D8FF344F137E48CA5B99051AFEED5B56CE5BBF5BC752B6427D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.565{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_discover_private_keys.ymlMD5=DBD75906C8CB549E934CF7A6D4E76439,SHA256=01A33D1AB0A0E6BA7F962516EEB74D6B9CACF98F073412D1B77F0CCC627D4A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.563{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_disable_service.ymlMD5=4D98D21B48890C3C68C5A545B079B77E,SHA256=8D910D830B897A24C567BB7DC545B36AAB3FFCD062B2935D863963A44BFC376A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.562{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_disable_defender_av_security_monitoring.ymlMD5=A9A6D60D270D3480D448033DB5019F20,SHA256=7B72C0A01281C264FFAB12604CC5D1C961F54D9DB1454D9120388050DEEA2FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.560{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dirlister.ymlMD5=584D854AA814A7E549868D942718A17B,SHA256=D901C519C152D278A6D5CEBE93AB242F76C2CB01CAD1255451DF1751163FF95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.559{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_dinjector.ymlMD5=D048282171C146FAF5C6526FCFC39E21,SHA256=AE8A90F410A4F4B3265ACEECDA2303CAD973893900AAD6EAC92FFD2088B21D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.558{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_deviceenroller_evasion.ymlMD5=B2796E9006B041BE8EBDDA4902269563,SHA256=91F33E1CA75EDF2FC6592D1EE1AC80CF80C371F0478A65A92FC1518130DF4033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.556{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_detecting_fake_instances_of_hxtsr.ymlMD5=C74DF79AA33E33DD6BCA033CD6859026,SHA256=CAB75F1043213A029D7B4B4B32A26B98DD5B71781347DEF652D63B6287D8184F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.555{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_delete_systemstatebackup.ymlMD5=9005A5BDC8576112A1B8665EAD5BE8BA,SHA256=595655BA339C5CA5B491465D7F125C234FEA8F3160CF1016CD2AFD1EDE84D725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.553{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_data_compressed_with_rar.ymlMD5=8165BFAA76074BFA03E4FCF21DCFCC3B,SHA256=50309A6E72A8D265B56BA17CF1F2AFC42430B1EDD20E2B49F4CA31FC7DA3BFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.552{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cve_2021_26857_msexchange.ymlMD5=3C52D6F4F1807AC0D604FEAA96A7F39F,SHA256=22E80826B78F504CFC599D87A2C10A1F4CE4A5A6DA04DABCB2053420E7A6710D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.550{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_curl_download.ymlMD5=E1D35550B8742A411DF47B42F2FA3029,SHA256=4F0674BB9B205B32EDC2D92EB84D2CCA77875E9FC5F005FBE43A14F39B85B80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.549{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_crypto_mining_monero.ymlMD5=86A3E2CBE2FB147C853EF22E19ED0FC2,SHA256=8B46B89A4CA9C459AB2699F4AD47DFC6D2320BA518C1945AC2C79EC71639BD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.548{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_crime_snatch_ransomware.ymlMD5=67B515450E0C6E4D2EB84F02639FED01,SHA256=5BEEF176B7A8460FA875BA4E231730DC3C1390C4F400E182AAB279E8F4A4F65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.546{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_crime_maze_ransomware.ymlMD5=268E12E058F0B16580C26E1F55AEAD01,SHA256=F18C1E5AD8758325A54BFF7D382E37FE55E3F1FB028A9FA835F61A9C6D8428E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.545{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_crime_fireball.ymlMD5=F40D72CF937F22F3F7EFB2B060B13692,SHA256=BA47BFA9AAB821D3B423578CB919123A288AF64E079C9ACFA3B45444EF32A8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.544{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_credential_acquisition_registry_hive_dumping.ymlMD5=7D0D6E4D477677EB3AE658118CBF9617,SHA256=CCE13F73C6A2B51307339E071BDD8830AF8EB5888F0FA7411856EFF40537EF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.543{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_credential_access_via_password_filter.ymlMD5=288DBC84F75FF5F4559D82693B547BEB,SHA256=BCF99F0A32381FC8244357BE4BB11E9FDEAA7438223BF99817BDF54BD9955734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.541{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_creative_cloud_node_abuse.ymlMD5=DEE9DB6F891398CC10593BB263F561F3,SHA256=E185884607FD28C9D317F45BC695D4E8EA4102A3271C1F69B6CEB48D0DB0AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.539{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_create_link_osk_cmd.ymlMD5=739C388A2C666F6E9476F98DCF07DD0D,SHA256=0672E1490DA919FBD39EB1BF51E132BAE210A869F6C6A3FAB72F6EDA320C87FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.538{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_crackmapexec_patterns.ymlMD5=21595545DFC46D1368B84E9D1419EBDD,SHA256=5CAC5C427C9A237451A794B554D376D5847C3E97013C231D60D653243ADE0C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.536{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_copying_sensitive_files_with_credential_data.ymlMD5=E7F6D3F60E14DB8E14B7D5C1120BAE97,SHA256=1D99ECB13038BA242080B2BDB0979391C89E641F2328CFE6513FA0BA619E006E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.534{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_copy_dmp_from_share.ymlMD5=981031D3A10128E1D81738CE176D0BCE,SHA256=9A005C9A0F898B7710356090FD8D29582650FBE5DFFB3391258B17857850B1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.532{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_copy_browser_data.ymlMD5=4B0886DD386FB847764B5CB05F9FB5F4,SHA256=779DF905CB149C9F1CEE41E65844472A0F2D9AE9A5E56EAA2AE63F555CA9B646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.530{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_control_panel_item.ymlMD5=87CD749A06499FCAE60E40FED087A374,SHA256=5D494AE5F8F18E777D49D0699B705CDD08C2307EF235C218CDE7EEC4532FB3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.528{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_conti_sqlcmd.ymlMD5=23F50538B19C2D1722D3D7E28E31CF0C,SHA256=A29F1B019A77BED9D5B2062488FB22C6ECD38BC525CF408A4BF49F7742DB1B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.526{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_conti_cmd_ransomware.ymlMD5=542869233EEE48104E960B79F5D6DF58,SHA256=27595E0F23F10084E5A2C2B1162D8B4ED2786500257F68178864D0E1AC4A236F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.525{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_conhost_path_traversal.ymlMD5=439CD83C0FDD9538258D6EDBF6373AC3,SHA256=BD19985390CE43802734663D0C2462420D77B0751EB61EDBBDA3D4B2FF5F70CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.523{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_computer_discovery_get_adcomputer.ymlMD5=42A99BD0F7798F1117AE3DE4FFF61BC0,SHA256=CE9D28E58304B1BCA9CBFAF293F7E60EE7A224DD42F944BF346566BAEC175EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.522{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_commandline_path_traversal_evasion.ymlMD5=C9CDEE678C73C462FAB29F2237841DF6,SHA256=DB4847958BD901C951625060A601EE4B6365D69DE8C6FB7137E72636F4E542CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.520{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_commandline_path_traversal.ymlMD5=90AFD020357F4BF27B160096FE55F519,SHA256=3C29EF19ED0B44CC7F63EAB446810B35717220BFF4670FA0C34E82E4396BDAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.518{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cobaltstrike_process_patterns.ymlMD5=108CA0B2A28233C174F652F3A81A8C14,SHA256=D1D7E9ECAF08A19D512C0E92B2E2C78B3C1C4B964699E0F86DB62E9A6A7D570A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.517{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cobaltstrike_load_by_rundll32.ymlMD5=D424EF0472A3E437A57FA6D403B26838,SHA256=43E1A096FA54ABF9E5EA10204C023A45402E016C1E2FA5BFF46526AE978DC1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.515{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cobaltstrike_bloopers_modules.ymlMD5=86474649720903A0007F4CDEE7E76F3D,SHA256=30B32043FEF0A487E3ED3DC7415971FF73EC476182E3189EE629B24BF645FDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.513{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cobaltstrike_bloopers_cmd.ymlMD5=BA92C7A0E327854DDD57059DB495FD74,SHA256=6340C7BEF2B407450A8C576516F57B249C69B46D2AB2E34E70A795CD9033F83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.512{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmstp_execution_by_creation.ymlMD5=B3A8665907E47CE7E2CBF23DA9F419E1,SHA256=4676017C3B094D0803118B62AE1F38D89B9B23A110CB63478A3E44B4A073E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.511{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmstp_com_object_access.ymlMD5=8800CF744BC0605E3BDCC62A8A67471C,SHA256=A74FB784F930E0428B9995E4F127A5CB0FB972609BCF1021B7AFBA99FB775182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.509{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmdkey_recon.ymlMD5=445B7389F3DB7ADBD83211A820D340EB,SHA256=F0DE07054841DAA946ADF57A01F03A924D0362F3EEAA1B08B564C27DF9E585AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.508{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmd_redirection_susp_folder.ymlMD5=984F53F2ED73DD1B80C18EFDD1B44702,SHA256=D419D48F890E7100F60DABA65A37129D48D7A305942607D6E5841837E5AFDC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.507{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmd_redirect.ymlMD5=A3FCEC613E18ABF3B515FA4C0ED6B290,SHA256=BC99D8BD685271CC14733229172A9E8BED117A264EFA06BED748CF479BC797D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.505{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmd_read_contents.ymlMD5=F3CC2C77483300AA8F91970689C9D3E8,SHA256=B7E0EA6617F9A7A26679B22810FAFB45EA30198E15B6A4BBC9ACFBD9ACF7C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmd_dosfuscation.ymlMD5=D6214F5F356AD4689ECDC182F7E84945,SHA256=C0C430321C560123BF14D1E1502F458A1AF69201AA18FC69FB743EA029A6ABB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.503{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cmd_delete.ymlMD5=B17812F2B72013BEB8D83718FF89BD7B,SHA256=9A33DA025E14D24CC45B7C1AAD5234EB78798BC1D977441A1B6138A3D13879FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.502{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_clip.ymlMD5=359EC12E04749E395B80999C4A54EC72,SHA256=4590DEC9061E9DDA694CB8D83B4AC6CCF680BBD00E812EEA0F0E4E3C5029422B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.500{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_cleanwipe.ymlMD5=46245996C27C984F4ACFC4015E15D27E,SHA256=78ADCD89EDD318CF2DB0C07C1362559E4C5E7CD445BC02F2C91F4C7C47E6F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.499{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_chromium_headless_debugging.ymlMD5=C7B9B7C706ADC2EED0E4ADBEBD7E0A42,SHA256=CA776A61C148BB04B5947B96847FA6D4018553DC9BCD5D37C9BF407A4FD2D460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.497{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_chrome_load_extension.ymlMD5=F7133B68D5EA37181DE680BDB512086F,SHA256=D984ADCFC66B744F94C3D1775F60357512FB91A1B22BAFD7C7B6470FF3673A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.496{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_chisel_usage.ymlMD5=A26BAF9150BBBE33E81413D002794BFE,SHA256=2DFB5E815E2944F28BF2DDC750F7905B14008FA66F084734EAF4C01062042489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.495{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_change_default_file_association.ymlMD5=403A0EA4FE2C619949610DF470BD2C60,SHA256=A5C57F6E6549E52599B5295475A853ADA10B8CC6EF2CB78B0CCCC39D1EADA2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.494{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_change_default_file_assoc_susp.ymlMD5=79E31745090D21BD20357EE91E2F19C2,SHA256=2D69C703CF0998B03AE6E5EAABBC8A076C0E5A8C725B37496EFC04017E4DF137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.492{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_certutil_ntlm_coercion.ymlMD5=A2F35A6DF18E8FECBEB9C10AFFCAECE7,SHA256=D1BA6731E1D2E2B61567A304E516391B85005CD8F4DF242D71AB3826416FB28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.491{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_certoc_execution.ymlMD5=316A46BD2587F86D6F9E1BCF64DD2A84,SHA256=6DB90BB0A92E6F8542F9EF4A478DAD20C0AA8D6DB7F56F6D574502F23BD10EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.489{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_c3_load_by_rundll32.ymlMD5=FACB47E87789A5801FDFA183A10E6523,SHA256=FF148D45512C9BB76165530AFD3D01F29D7A3E2999DCE327E674FF01CF76207D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.488{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_c2_sliver.ymlMD5=6CB4CE03AF908DBF46AF13AC4E5BE743,SHA256=017C119CAE2209868209486C1EE19E6C9AEAFA266F67A50A27FE6BE7294D42FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.487{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bypass_squiblytwo.ymlMD5=78BFFFAF3208402D02A28D781FE4B629,SHA256=90579DE86903F0BF7C1BAF953E5BB400510211130E2878F4D2D0FA97AE588C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.486{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_browser_remote_debugging.ymlMD5=EB5FEA8D70B05F227888D3F393699FA1,SHA256=4A9A479F3BAAFCB999B968264523E8BECD152318DA349DB26362CFF6A0AACD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.484{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bootconf_mod.ymlMD5=282B7B68FEFEE3565E39B3AB565825FE,SHA256=7A0BC9DDAD4C11C6F4F1AFE11A97FE7AF9925031E7E0A57DC868FD8AA28B5878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.483{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download_uncommon_targetfolder.ymlMD5=69E0ED2024BB769A64D0715763CE37C5,SHA256=85850E165245B186A7B23FA496F54715B21DBD65290D8F6D43F4032E3257CBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.481{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download_susp_targetfolder.ymlMD5=37E4D9E4836A72D96E32E5A643D013B5,SHA256=769EFC5BA78F40D729C8779DEDDA045A609941156CDEEBB92DD73CF4F9B29F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.480{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download_susp_ip.ymlMD5=43117C3317C1C4ABF8DEEF7569C6A6D9,SHA256=2C81251418DBAF3538975CAFFA4D6683823F130931B735FB76217C1328FF13AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.479{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download_susp_ext.ymlMD5=409B74A4126C29D81B78EFF26D02523A,SHA256=D26EEC6A50A221DDB774F0139F7C9B9C802023160775B473F0A5F605C2DE65C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.477{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download_susp_domain.ymlMD5=9F1E5091CA30421528E3FE33DCC52B98,SHA256=618EF20178529A57434FDC971B264D8568C53220E3354BDBC490B2BC0CE040CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.476{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bitsadmin_download.ymlMD5=6689D1242A666AEC9481B92A0EFA5F36,SHA256=1A11CE561C90BDB32FE9AFF682CA1DC26729E7C9591135A5B174DB5E7A39D248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.475{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bearlpe_potential_exploitation.ymlMD5=58BBC5F3441FCDDDE2AACAEC556F8875,SHA256=C9A1744EB1556ACA827BFDEC5AC91CE44E0E6A2BE2FC929A55419EAAF025DA37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.473{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_bad_opsec_sacrificial_processes.ymlMD5=6AE2C05E612B52BBE7D12D2CF40F8131,SHA256=53C4C07D3988242FF80274DD2EEA3CCF8586B10165B29B2049B5605604FB1E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.472{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_automated_collection.ymlMD5=5EA5997ED1F2240131D345D94EF10D59,SHA256=228E00478F9D2AA6190E9F7DE89314DB0F18D4C95F2E1F3AD2E4A369D9CC2050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.470{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_attrib_system_susp_paths.ymlMD5=FD7944B10A90DE69CF8F0F82F71A246A,SHA256=E9AEB756C86496C516B0AF9EFBC2BB653B6789A0913121FBF5B5C830E707E364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.469{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_attrib_system.ymlMD5=BF77FDE312C2CA7BE003C66E95BC95B6,SHA256=4BCA02FF2FA28E38EB106F31CF07EFB689E9CEB1E2CFBD57AA29F465BB8DCAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.468{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_attrib_hiding_files.ymlMD5=4DBC21A4E57E9294A5F2CA6D62BDA330,SHA256=B89B251717C3DE41CCA6BA084D1333F32F7C80ED0A8715D9F32FFBDDD44F9150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.466{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.ymlMD5=7FCB12AB8AF4BC4AB1FF6F26FF1ECA6F,SHA256=FE2374C86E555C20BF8679CD6B1C471510662DC0BD1FBCE8A305D80D67AC761C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.465{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_archiver_iso_phishing.ymlMD5=4AD88DD4551E5B32252CFD5BA1872A5F,SHA256=E1BA5FF86BC46C083A7D93F30F6F5DFC4ADA2D658A27012B00AF88838EC7D74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.464{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_arbitrary_shell_execution_via_settingcontent.ymlMD5=B1EDCF1A0B5048AD771708F4659A8542,SHA256=9E98311B08DB34D629639ACE54022E2B723F0068D53E08667A0B28FFAD41B93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.462{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_zxshell.ymlMD5=D49AA538E2AF1355E6409EA28F012A7A,SHA256=EF88C59581A8DB520D80A619BB6C37CAFB090F807B206DAA4009D655B241C586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.461{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_wocao.ymlMD5=D8BDD11055B36EC2FA23E55DC5DBC450,SHA256=20A5AE21E014557765A68B576C510F21DAA42F0BF01C68D23ED2570641A6176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.459{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_winnti_pipemon.ymlMD5=F60B9A5B1B7C8940CE74AAC72022308C,SHA256=04FF4C0E4C1C6FE3D0AF8EABB1DAEB0F5E357E023818904AA3FA85EBF97EA3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.458{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_winnti_mal_hk_jan20.ymlMD5=1CDB7560C626607C42D4DFEC94A1790A,SHA256=99D17338C29DC60CB70106228607BA60D249C755C428C4B1B680F2549F0B21FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.457{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_unidentified_nov_18.ymlMD5=0E9054548F863A2B1477B3E7B3AF082F,SHA256=9826BC4D8F1134F8A34FF97A25DA970DB138AD0BC3AA61E6BEA9F2B3780B09F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.455{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_unc2452_ps.ymlMD5=E48FD9708C34A74F27DAB71B3B781E41,SHA256=1E3A355EAF1CA4CA2206115B80DD12E6EB8691864EDCD642AB42E6F867212D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.454{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_unc2452_cmds.ymlMD5=6C5C97612BD5C94C1F094B71E9106E94,SHA256=F9A5F35CB01654077E4B70992313160892DE42C1D116B146140F570A4B6106A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.453{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_turla_comrat_may20.ymlMD5=1905494347EF984DF588D21D8649DEC3,SHA256=71B1F7AB0C781F14FB9CD458D8712943DD564B3AC10521E9B080765497F6E58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.451{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_turla_commands_medium.ymlMD5=4233F7E6D60CFE776D4E8C838225668F,SHA256=6B5B1EB21B86B1E1CBDDC578982ECF543AB7C58441A9E4E0BC224306BAE80031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.450{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_turla_commands_critical.ymlMD5=01B8C2E1C71C95C003D18F13F5D96936,SHA256=CB1FF232013234862332F6404FF79F17790171AD454DD40D9ABC5AB3EDD4282C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.449{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_tropictrooper.ymlMD5=B4B4F79FC31EFDA829FD371C39EF450E,SHA256=B49DE59F21C8206D02303B1C5A08612F9FAB2531442BC5F91F87E22AEE346A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.448{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_taidoor.ymlMD5=322975F6A5BEE90EE37E6860FE3BF765,SHA256=F7CA3DA7F7C5B06202F525293E536EA2B4E2640C1220C0DB454A5FCF445D4D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.446{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_ta505_dropper.ymlMD5=7EDD474227318DB980606BD61317B296,SHA256=8C82DC5142E663A8DB5BE87BD1A56E3675799AEF8D70B3A16D8CBC35FDF72DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.445{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_ta17_293a_ps.ymlMD5=1DB37D85C5E581E0B935A4D9171E46F0,SHA256=283CDFAEC1385AE00138CF00AD28FAA9EDB2032426D87F6A991C778226561C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.444{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_sourgrum.ymlMD5=412B82541F104409CBB862D16440B069,SHA256=46722545052596C29EACD7959AE0B6FF5379C1EAFD8FB322BE295093344C6EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.442{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_sofacy.ymlMD5=BE4C7602F34D2FBD5B80A8D4E03A0B47,SHA256=B17A9E2A934E4CF97DA358B7BB57BA4CA12D2571AD4E7B9A5558EECFF4ACAA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.440{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_silence_downloader_v3.ymlMD5=F984F3DC0A11B42026950F292945A4DB,SHA256=CAEBFE4E3C4415DD80D3CFB87FBF58001B235DC12355DE670959B0309C3AEE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.439{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_revil_kaseya.ymlMD5=B91A0B713D8EED6B498D5AD1FE39B58F,SHA256=3709926EFD58BA11FDE21DBEC38C2BB1AC483F130D5D4ECC8CD90C47898C37C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.438{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_mustangpanda.ymlMD5=88BBD2B50D20CD4FF41187B15041BB0B,SHA256=513C2A16C47F4EFCDB0CC3B148C7C6BE15D934AEC704ECAA29905743246E820D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.436{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_muddywater_dnstunnel.ymlMD5=0496B59B3ABCA321E017077D808C2109,SHA256=C3852D18834DB2D0818BB1765751357C1F9899CBFA35A3FFB2756EA0550AB268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.435{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_mercury.ymlMD5=66212F80757EDE1960240AC806ED5871,SHA256=B2DBDAB56AE1EC83C76D88B38CD25C5FAA1AC08EA084754456BBFA7D10B27D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.433{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_lazarus_session_highjack.ymlMD5=C41E5ECB9E4D093B367510F46AFC0EB7,SHA256=2FBE7B52F09DA0921901E2A3E7B5BE17B1FC315659F38DBE1E25CDB13F07633D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.432{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_lazarus_loader.ymlMD5=E8E3C862AD1DDCBABFFD59317075DE1E,SHA256=FB01A50D7FF2F745C8AE3EC6426E8CDBAE0DEEF99B3543C931EA435EC286855E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.431{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_lazarus_activity_dec20.ymlMD5=F79CEF2D916C7797B6667DA399C1E673,SHA256=0881C39EE9CA340151FF0528275739048760648AB2D5A90F679117B596E705BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.429{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_lazarus_activity_apr21.ymlMD5=653E5F323CAAD5C5BFDB924EFEBBF8FB,SHA256=8FB8620FA267414AC631B8D971EB51BAB7E21DB14FD53D529EC6CBF2E2CD0C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.428{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_ke3chang_regadd.ymlMD5=AE8DE08658FE8F438B3CA83FBBEB95B6,SHA256=7D98F58387A08675C1002B1CD96305931C6C5C3CFCF267C465C53189F80732B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.427{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_judgement_panda_gtr19.ymlMD5=D24B1C2ABBCDE76FEA0C27951694E13B,SHA256=FBAEB613A487C5933308F4D1138FE3920F127AE4DF6EA2CA6CC07DD3D4666931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.426{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_hurricane_panda.ymlMD5=E76D17A2567506651DC6F2ECF5627FF1,SHA256=059D6B25D0E346C23D7D6FE9E14D19BCD87C0124C6928C41BC2928378963A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.424{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_hafnium.ymlMD5=01213DA6639833846BCFFE53D11979CA,SHA256=F2CB6061432E456441DD37784C86A485522EF9513611CB122742EC7B94ACB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.423{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_greenbug_may20.ymlMD5=E40D73C9AEF96C438315806F5CA3E20E,SHA256=9EE21833CA8E58F8D0DFF03FA7CC2BEA0A9908A59451EB16B8D6505C61A46AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.422{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_gamaredon_ultravnc.ymlMD5=D5F2CA664A2D59EDE382FA42DCA57965,SHA256=6BB390D0C340DD28919EABAF58629E04ECA88CCA9453213A8BA98B5D2BD85A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.420{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_gallium_sha1.ymlMD5=60E94DD10AD55C698E208A27E293DCD7,SHA256=B20AB3F287D8DBCC17954E5D7AD2C0275676A11D772BEA93A54055BF2E861859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.419{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_gallium.ymlMD5=06BBD039A621A1F07A6F4C8E217C2DD3,SHA256=D64D93BC9E972D56CEA22EE67AE1FEC9CE36D52F060374C74053649423EF0C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.417{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_evilnum_jul20.ymlMD5=CE2328CBEEFA6E6E26213D5350AAB8F9,SHA256=4092B4D5078D9B76A7ED2D83E9192A3353BEA1FC2C61C7AF83105AAD5DCAF8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.416{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_equationgroup_dll_u_load.ymlMD5=79509DD2AB702E60655D03FD0123976C,SHA256=14BEF250EC5F6281CA91E3CEBA80344C73740E8CD4F087862609EC5D3AD32AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.414{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_empiremonkey.ymlMD5=6941936206AD04333D7A617AF7A9B0BD,SHA256=4DAAAA445338B66D8BDE388FA9320742A39A6DF0120C9D41653AF9467F9413B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.412{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_emissarypanda_sep19.ymlMD5=ADB762379B8C4B3AD336557840F95D06,SHA256=9CB3798F06E53000E5AAC52C278AE8BFFFEB933CED0FC25FFA17D16BE5A5F26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.410{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_elise.ymlMD5=F845940CB73E43E2ABB40C080827ACFD,SHA256=4534B3772573500BD9F2A0BF409BD5F297D28558265A2D97655AD55A9B0F27E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.409{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_dragonfly.ymlMD5=3F7A8D2945DF1BD38F86EE89842753EF,SHA256=F8E0B5B49C7906A6087ED0EDB53A8D515C031E5FD3DF8131C5DA84DE17FAFD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.408{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_cloudhopper.ymlMD5=0C15F3AE869F30591A725D0797901EAC,SHA256=E782289E4ED73346623FB056511F486322CEEDA569BC1D1DD0922272C6876C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.406{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_chafer_mar18.ymlMD5=22826EDE7A60426CC501D44F235E746F,SHA256=1967976AD26C0808E0A60EC986A824AB80174310CD0FB3238BB5506BFE912044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.405{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_bluemashroom.ymlMD5=8FF56E716F57EE0CD392FD93C6AAFBB6,SHA256=D9497013540CCCDCB35F16C8CB2EAF23D10A5BCF74D7C94B617D9533B55B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.404{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_bear_activity_gtr19.ymlMD5=2C9B220C4B01A6CBD6D4DBBF0E2F94A0,SHA256=1260DCAD55B118ADAFC2FA854B2808C713521BBA4C2179426D625CD53C7E2C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.402{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_babyshark.ymlMD5=C35000FC7FA17B541F780CCD4EB2152D,SHA256=96BAF90425054FFD528BAB7E600EDA08A1B746534595F96F8CEF3BE80688F763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.401{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_apt29_thinktanks.ymlMD5=AA5AFDAC8550A220628E18E022DFA9D7,SHA256=B5E9626E81A8B45F07D5B1B776142B4EEC970B313849D2DC338EC4951F9EF228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.400{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_apt_actinium_persistence.ymlMD5=E845E78D9AFFDA4F22B40006ED2C9A65,SHA256=50FB1DD493E9AF70DB50EEF7A2FBB39A6729228B222BF55427B5CA5E862F0E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.398{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_anydesk_silent_install.ymlMD5=A76EBF40107A483D482260DE55E60132,SHA256=22AAA04F85B7868D5785F022BCB5CA26DFE2AE73786A607D0D22ABEE064B0953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.397{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_anydesk_piped_password_via_cli.ymlMD5=4943B2144DA5CBA87C0F9DD229CCEA8F,SHA256=5E8BBECA7ABFDDF3E86C3DD7296A3B3C765A52FD71EA8AB21E0E42560305F3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.396{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_anydesk_execution_from_susp_folders.ymlMD5=1D29C207170463395E845DE54D1824CF,SHA256=B05E1565DD4E2FA9135830586678FEB1A7E67E2216D367C079F49AB8F0B285BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.394{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_anydesk_execution.ymlMD5=D86015862BDB42F3541097DF59B34C19,SHA256=F29B0457315AE4F60F59FDFB0DF359FC1E85F84AF23B2AF9C583064CF1DEDF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.393{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_always_install_elevated_windows_installer.ymlMD5=25C6254A70264CDB56132F4A861868AC,SHA256=7BA30981C91796291D75730D0C12031F526BB78EDFC7A6BDF43A6AAD3F5E7470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.391{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.ymlMD5=614AE61AE87F759FA93702CAAF08CC95,SHA256=77501D60A93F94372E89A7D6C4B56B1BE35759821A96B086DCB9F7D0643781FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.390{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_alternate_data_streams.ymlMD5=A679CC2EADEC840C3E4FDBD52B60DD4A,SHA256=8EFE26CCBD3F0836437D9A421F9BED187FC2FBB126F8DA23C3702B8FB4AFFBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.389{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_advanced_port_scanner.ymlMD5=EE1AEC64497788FAD5DF9F08DD167267,SHA256=E4240526EB118D9C33A09F0EA19C9368D37F4A61C830FCABA841CCD3EBC703F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.388{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_advanced_ip_scanner.ymlMD5=8CA81C456FDD090B851C6E5F2AD51C53,SHA256=7132DB1E41932F921600FF1831A37059666994CF219DD3EA0929D232DECE4FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.386{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ads_stored_dll_execution_rundll32.ymlMD5=5C4EFCD7E3CAA802AD1647B24E288549,SHA256=8ACE3FED7E9DF1D0AFB51424F3A425337907B9D3C56C39685AC8DC981C2472AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.385{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_accesschk_usage_after_priv_escalation.ymlMD5=6F659F8B49A7EE4CAA7084A156DEFBE3,SHA256=FDAF8A0E445512D8044D33BB790B8FDAB39B14AB5D7F23C0EAC49C27A4D45E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.383{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_abusing_windows_telemetry_for_persistence.ymlMD5=404A03E014494D10D05EF76DB47A4FE2,SHA256=8E7242F6DF07E66D27CDC0FF58BD88F163F63BE20880684F673EA40300CE9B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.382{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_abusing_debug_privilege.ymlMD5=3C1C9C81398203F052DEC7D3D9B23622,SHA256=EE9DBD38B6FE4742CC5CBB5E8E7EDDD8E6DB55643B3ECE2877543ED2CEACA3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.381{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_aadinternals_cmdlets_execution.ymlMD5=59F88B3443653F3A213DB19709B1FD72,SHA256=862A80D89DE0EC11A56F1274350E162B42B3CE24D846E1AE4D34EDE55E9A0145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.379{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_7zip_cve_2022_29072.ymlMD5=E95DD4BEB66DCFE903A1648DE849066B,SHA256=52FD17E2BBE65843251A3861F7AF1718A461130E392FF0D59A65C2DB42F8ADEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.217{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_winapi_in_powershell_credentials_dumping.ymlMD5=66D03218236CB088421A627A62A0A7DF,SHA256=14B44A334E4E96B63381720E873046609227495C4E474A9E1120023DC707E5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.216{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_uac_bypass_wow64_logger.ymlMD5=FE7527854DDF5C71A84C639453232A76,SHA256=794F9678BB98159F1218FA30FE9D2AFA0E142BBCAB0F39F323BE7C6B623F356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.209{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_svchost_cred_dump.ymlMD5=F0F53AEBCE931A124E3E985C2CFFAF0A,SHA256=AE72853408E7E0011C0361AFF61B9779F2073ABD98960AAE0DC0C3B043CAA986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.204{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_susp_seclogon.ymlMD5=51C7FCEA842D2B4CE9EB4E55E519DCD4,SHA256=A9D78120033DAF47C6897C747E2A0942384743944987230834F5931C00DD22BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.199{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_susp_proc_access_lsass_susp_source.ymlMD5=57028C20100B295C18501D86FBBC9BB2,SHA256=B63322FCF88FFA01AD4B002286605923DE73C36866AFF4A8C41BF2B05533ACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.195{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_susp_proc_access_lsass.ymlMD5=022DDA841E192D91C2940FB204B4F71C,SHA256=D97D298BD6CEF174B22D21504E499040FAD6B675C049D987E571F6D4062E8821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.194{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_shellcode_inject_msf_empire.ymlMD5=E24DCDF7BABB934A379482EDD5A98C10,SHA256=1AA9488729BC11D33EE41CC382EECED78D39BF4CDB176433182CBB23EF745544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.191{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_rare_proc_access_lsass.ymlMD5=C2C5FF627227EE3A7FD3E37BE622A632,SHA256=B488DB0B824A75EFEA28C1CAE958EFA317EB79207C9959124AEE91C88075033E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.189{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_pypykatz_cred_dump_lsass_access.ymlMD5=F8CFE479C375519912BE63964DC0AD64,SHA256=311AADB4E6801264923AF16851D88865E2806E6B89B67A407216CD770121B8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.185{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_mimikatz_trough_winrm.ymlMD5=B22A9BE9D94A6867638D2588B9D09F6E,SHA256=AC8CC8832FBE5B04DA98A3715CF951E0AFDD615ACA34478EA02E274C9F34DA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.183{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_malware_verclsid_shellcode.ymlMD5=7BC4F6E1EF48F4C04A03361C1A0724E0,SHA256=D9CEA2E53FEE5474119D75AFEF80D26D964500528C932732D12C27B8C38DC348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.180{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lsass_werfault.ymlMD5=E0B6C77BC49D65E112B388BC5A8CC8F5,SHA256=8F8D3DFA0601666FC720AD1370E52E42AEA56A0486A71B3D76F264EF181C4827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.179{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lsass_memdump_indicators.ymlMD5=DCA3887B4E3CDADFC71DA010726F02BF,SHA256=41134D3A1DD766C3AD25D56331FB52626908A4CE6D99C14E3D0032A9E56E3771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.173{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lsass_memdump_evasion.ymlMD5=37021FB66BB64CC5E0F3F757C05ACCC1,SHA256=3D70BC416A4110AC7B691FB9BDAC47701A75C046A63EED31F9CF41633A9437AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.171{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lsass_memdump.ymlMD5=FB0D656D8E09D08EF986AA4085BA8198,SHA256=50CA708721C9ED4DE457EBCD0490D2CB9FCC5F00E0D054AB1AA3B0CD5E5178FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.169{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lsass_dump_comsvcs_dll.ymlMD5=F770EE5A2DB57F39AF0B4C9F0EDE2802,SHA256=540B089537DA3A959AD1B695BA8EC79A732216389C85302B611FC00BF99DBC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.165{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_load_undocumented_autoelevated_com_interface.ymlMD5=9C27255F8C1E9CA70ADA3899EC1E3467,SHA256=1051D3CAAD5099D3189A58366D8600D19A5418773F978637FF31FE47A689161E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.163{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_littlecorporal_generated_maldoc.ymlMD5=52975003C68BEA50749E67B3DBA900D1,SHA256=D3373AAEF9238EE4BF2441F4D64F4F97CF23369F2C5DC05E44108667E0769B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.162{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_lazagne_cred_dump_lsass_access.ymlMD5=1C2739FC1A44790B93F65DD369C7FAD7,SHA256=8CF7172F9B30BF4A6C2FD6D5D3F46684751A515F9AC6E6B90F03AAE46A6286A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.161{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_invoke_phantom.ymlMD5=09B37B53CFA1F429000075EC287DFA7E,SHA256=EE8E04D6EE3546FE4A99542B03D6C0ED9559BC39A43FDC66C09B0A1793D351D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.159{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_invoke_patchingapi.ymlMD5=A805FF27761838CD795F7D48C233B7FD,SHA256=FD0F2E47885C90ECE71A5445E7519C3CDF972CAF7E516E05A9E7D70153921C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.158{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_handlekatz_lsass_access.ymlMD5=4B51180ABA5C916ABC771A501D0E893D,SHA256=FB4B73304EF5B81CC07CD507B2FEF579150E504862C023A8487A4DA0E3EF6ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.156{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_hack_sysmonente.ymlMD5=69EF96474FBB057F509F527E50B84E64,SHA256=61D98C6E0A18F02A1549C280489F60F8BF949710630A96A1103860D62988A1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.155{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_direct_syscall_ntopenprocess.ymlMD5=7403DEC2F18CDA06EE01C711AB4C34F5,SHA256=7D2D4B431E6AFC2E7DEC15780F59761C35B2FA97FDC76EE724557FCF49EB1B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.153{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_cred_dump_lsass_access.ymlMD5=31CC7B0D7CAEA8544264D0235B9717B4,SHA256=F1BCECBD88B10B43CC8E9E9C5785593284A2B84FF17B4CF4B45BEB7F81538FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.149{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_cobaltstrike_bof_injection_pattern.ymlMD5=D8590D5E08D9E9B04238798D1465E04C,SHA256=AAA1801A733973DE3B6A23A24B9C6526B058D5459FA78926C4BC3A40D1D5B15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.148{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\proc_access_win_cmstp_execution_by_access.ymlMD5=1ED73419A9A8C4C8C54ECB57E0C9269B,SHA256=3F3DBA639316FF042342B3B2D7986AC5AAB9C3FFB83AE6D774F9AAC7D92FB127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.142{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_xml_iex.ymlMD5=DFD4877B7407DD58EDCA5D799CC865D3,SHA256=2AEAD0F11B91115A95F72DA6D70A3CD7AACF1C3B6B1BCD172BE30618FACF4B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.139{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_x509enrollment.ymlMD5=0AD93CC7C668385F30177265351FA61E,SHA256=C48184E644A82576347D6400BABE8C9AE3F6756E93374208DB53054AA1A6133D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.132{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_wmimplant.ymlMD5=350CB0E03AF65E0E86A28E67CCD8BD5B,SHA256=44F0F31F5ADAA62CD3F14D8C73E77E96AF0743A6DC0BD95540D70493BA08AAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.128{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_wmi_unquoted_service_search.ymlMD5=D2B70C3A64A3BF6238162EBCEC098F8F,SHA256=DC62C8950644078A2A2695DF6E715386980E7FF65E5EE338BE565697600F8EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.126{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_wmi_persistence.ymlMD5=9EB80AD41A7DB1E275440A883AE60A7D,SHA256=E72D19BF635F3218DF98A8C960EEC99E2ECA5A8AC35323C581CD888490698625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.121{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_winlogon_helper_dll.ymlMD5=975D06EB84BFB30BE29733306A690166,SHA256=566D617738924F60F3D69CCA1804EDE6D11FABFD06D06DAAD76BA3E8B0AE230B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.084{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_windows_firewall_profile_disabled.ymlMD5=2A82EBE14BA1E9000B3702580BD6BA27,SHA256=8BBDA9F54970BFDE6881CCE46545CCE6D9B6206B2732CB352353319BEB656545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.074{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.ymlMD5=E6438305CEDC25D4A6339C520E3E9525,SHA256=85AD1FB13928C15EC50A3526A02351E0E68A30CE03844C212A54F4327FA45DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.072{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_win32_product_install_msi.ymlMD5=BABDD2EB56B64155F94A441BF12E98EB,SHA256=5A56F79F8D7936636687F3F71736BEB782BD89EEEC6C095AA46284BB567373D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.067{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_web_request_cmd_and_cmdlets.ymlMD5=8E58D929C826E96AE48817824B5778EA,SHA256=DC7872A12E4D677F6854EEE79054D16B7B8C40921568E5BDE3D54146DDD88EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.064{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_using_set_service_to_hide_services.ymlMD5=C31C3FAD6CFFC8A3A3E47E0595340D61,SHA256=EA44CFBE7188CADB0ADFD3C9CA7AA8B533FB167565AC0F0C5BDF535CB791C689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.060{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_user_discovery_get_aduser.ymlMD5=C6CFD7F3EEECEDF73868C1BFA30452B0,SHA256=7D16943B61FD19FCC7A7C864E4A70539FFF35B365D482B09C5DF2B1E5A6CC7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.055{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_upload.ymlMD5=13A3234E15C4B694EC11D13CE57F1EDB,SHA256=FDBA98D1CA895E6A1335966D0DB8CA1A0A171AEEA4B67EB566D82A13082AAB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.050{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_trigger_profiles.ymlMD5=F2CF69FDAB731A2824E7BF1EF5728D9B,SHA256=4B675051C76C37B3DD12D5CB0ACA7ADBD692E470DB34FE9DF4C3F28BF819F8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.044{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_token_obfuscation.ymlMD5=AE4E933B00A235B5DE557AFB1BCFD9EF,SHA256=1BEF6C160FFA5A9B146C7CBB04D45233E66148443572380FBC286622DCBD172E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.039{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_timestomp.ymlMD5=1A4A23D6F36DD1DFE411CF8563AE3110,SHA256=F839EF288F544B1DDC2CBE164B0585476677D2CC0995EB8C914EDDE15F8070C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.038{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_test_netconnection.ymlMD5=BC7682A5FB503C99E72CD035888B7751,SHA256=D7DC8A21DFB876C2C94DC682A1E063A8AA822ECD0431A3827CFDD27891F3F261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.036{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_tamper_defender_remove_mppreference.ymlMD5=695E6304C9BB235DAD32DFC84C220401,SHA256=C96FB26F1F1CB7D028C326EF67083EDD900CD64FEB5AD91378F113F13FC711B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.032{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_tamper_defender.ymlMD5=86F9B2F1885234250991A5289067B7AD,SHA256=098B7D951E0225370A28CB9B07FFE15522146A7958CCD579FC5E50BFBD5E195A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.029{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_syncappvpublishingserver_exe.ymlMD5=F0FAB0440E984686711DD539EA82FB6D,SHA256=F6336ECFCC862927F76F1FB2D9AE17611103A60944C5208E47E64974C50F7612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.024{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_zip_compress.ymlMD5=04F89D2CC8B5C0223400AC8AB2F3EF4C,SHA256=11EF2078C5C798B9D361DC3FB8FB14B2960A58CDD1C144836342DC5E54D9E7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.022{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_write_eventlog.ymlMD5=0B54A02EDEFA78F84CCBF8BCF5C4A57F,SHA256=F1634EFAF8CBA2F91D6BA23E2D6F7F89B9ABA2276FC23E826D396210134B0349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.012{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_windowstyle.ymlMD5=3A4B98C293AABCEC3E3B143170D66FF6,SHA256=87EF5E10B417C123A9A5D6A4CD073469BF0C4325B3EA0C2A77849CF16B65C539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.007{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy_deletion.ymlMD5=69C8295BF87DEF8D400E5EDD41FCCBD7,SHA256=7D8A0DAA6B1397667636297223BBD8A139E2A76C5E6F1CA75FC6F0C68185CB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.005{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy.ymlMD5=9BF1DF926833F3029BBC9D4D968B25C0,SHA256=05E4B81131E0EC1AACC4281559D452BBD714FD6BE681F8E9F3C4126ECD4E7BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.004{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_win32_pnpentity.ymlMD5=48EF52281B9EF602BE2ED9A6884BA8B7,SHA256=9E5CE19F676BDF52D0AD2F4ECCC639C4FA0C205606E0AD7F617C5337C76C2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.001{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_susp_wallpaper.ymlMD5=6BB4DA4C7BCBA0A025184E7E887F109B,SHA256=B9BCA8389CAC048E29B7C106F5DC32F3F8909B77A797F6CD6FB35956FE828D72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:31.321{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50032-false10.0.1.12-8000- 23542300x8000000000000000111441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:34.874{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBBD1877F154136384B80A055A39B45,SHA256=BC3E5291058897D4797A48EE6CC3C9F6CC5517D6C90527661E797EF330392EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.999{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_execution_path_webserver.ymlMD5=90C81E69B86276D912266178C103F222,SHA256=647CE232DCF58B3C879957D2E1A2BC3CE49B7B770E8B98014FC86F895C97417D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.997{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_execution_path.ymlMD5=A42331DE2347298A6406BD672CAE044A,SHA256=9243EC03810CB4E18D17C1F202F940384F69832EFB2E30F45CD5E8E46197589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_eventlog_clear.ymlMD5=6E2C85AF1CC2C9AFE3250318D0D9EA94,SHA256=79B6DF5BA62BBA5D1AE963489EB0D20F45AA4978E085C6CE80657F62159649F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.995{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_esentutl_params.ymlMD5=9DC14B84F9065DB5647484EBBE33F5B3,SHA256=3E829896AE98778533A94741EA53B67FB7AA854DE696778F55525B302D4331E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.993{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_emotet_rundll32_execution.ymlMD5=9231E54F8FB5C6F405574197F1E4B708,SHA256=A52F68CCBC618E14ACE3B188833F7A5E63D9473E88E2B0803428DDB11AE91574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.991{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_electron_app_children.ymlMD5=5431CE9A534C4C476CADF4AF6332246E,SHA256=E69CB457F70BB7DE56E1F67F4A2C253A1CB276BC31BF566204F2F47B2D2B40AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.990{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_dtrace_kernel_dump.ymlMD5=1CAD3517FD1D60E9AE9ED61041DFBA41,SHA256=771A899FF7C65F54B097AEC67D6B8478633E5899473B0BA998DF33DC613B3CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.989{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_download_office_domain.ymlMD5=2267254584D7142142ED1D8C3821A0A2,SHA256=41294FF5DF00F4231FD70C68B274BE442E7447624A7E3B008AC3DBBB2ED958D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.987{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_double_extension.ymlMD5=04B487AF9FB6237A4582B2357E009AA9,SHA256=7D12281E72EAA41FA64BE10E0FC9D3898C21AF1CAB4BFAFC8851D7171AADE0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.986{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_dnx.ymlMD5=060749A811E439060F4DCDA797ABCEB3,SHA256=D2F51CF31C4ACB957D25D156B178C53B5CF9E3300F7AFCCEA4AE512DB39D05F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.985{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_dllhost_no_cli.ymlMD5=1FA6FA696CC246D0C20FC66A08FD6EDA,SHA256=AB36007BF6A16E94A7DBFD803B8C635DAF212F30BD398CDFFF6E4B44FCC43681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.984{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ditsnap.ymlMD5=C9D0D7142A08BB667589B29FC2B9F1D4,SHA256=37ADE18E211267842F35181079B81A1960BAB20C3BBD60E9EA0ABFA2A91CA9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.982{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_diskshadow.ymlMD5=A8F146829323D0310C47BBB894AE8CF2,SHA256=2F4B0CC4DF067816B1C8749E04C1E4D1EDAAAE699A367C7E9F6CEEC78107483A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.981{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_disable_raccine.ymlMD5=E0EB49D4DD7F780EEE8A4D8BABF81797,SHA256=01BFFBDDDCD7C55EC827DA9A149B1FAE47705A8C75F7BA0FA947A4D1A5A14FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.980{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_disable_ie_features.ymlMD5=BB50829A94EB3210896899F9EDE5AA56,SHA256=8D634DD01B115B550ADC377A79A4113C519A2069F4D76E9565FCA3D95846C493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.978{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_disable_eventlog.ymlMD5=4A6980B0C34038023F40D2EF5C4701D8,SHA256=57B7F6BFC3BDCDFE6324D25BC45EEFD5BD3538DEB28576C0EABC9AD3B70D90C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.977{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_direct_asep_reg_keys_modification.ymlMD5=D1893E81AB6E681753E98B1C3D03C11A,SHA256=CC5C37A4867366CC456F6280075707AEE5B2C437188175C0247FD185DBDC0767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.976{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_dir.ymlMD5=2A8D721C520876F6026D28CFEB7A5C67,SHA256=0E949281F6E922E5DC7501E4B5D36F862182A890E3CF84146D4625C9156274EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.974{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_devtoolslauncher.ymlMD5=DF01A7F952AC4D74069A13CE951F2086,SHA256=0265F03176C919ED7AC625AEE50B1096737C4A083654E4418EE5A4CCAB44CD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.973{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_devinit_lolbin.ymlMD5=7B36DB76BA1F82A080D824727F6B4EEC,SHA256=985955B66BB21634B62E1E0C0DDFBEFC2EC5AEDCFFADFAF9CC4A18B186AA9AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.972{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_desktopimgdownldr.ymlMD5=599BBC436366F739E46A65EA455F74F0,SHA256=BB2E9BBBF212DEA2BF64EAB278C53664033901CB5FA19F23B4C1AF398BDC98E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.970{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_del.ymlMD5=5CA6C1191E4FCA8BBABFF941751CA085,SHA256=130F46A64EED5EC89365376A27807E83BB6570061A954F39E2A13AAD44E69E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.969{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_dctask64_proc_inject.ymlMD5=10DCCB6D95C322F14A9B0BCBDA2E5C5F,SHA256=01292FCC2D8A05969D1B85D4F81B0F2DEEA7DFBC988ADD729F27835F4244DFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.968{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_curl_useragent.ymlMD5=771B9FD6E5F410B6161D8E07B494AE13,SHA256=40B4D0BA828D670E0ADA030B7AAAB264559980764CB5A18DB375B39273551269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.966{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_curl_start_combo.ymlMD5=839C94D05A03B50C402476CF608855DB,SHA256=CB41292D4A1A7C856854D5E2B9837BB8690956260FE6AA9FD85E62F4AA0E9053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.965{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_curl_fileupload.ymlMD5=50265EE3AB7AFED04DA7485288D58229,SHA256=5C8314EE84B256EE5CC2D21BAA12291602646FF7A60C8DAE2FD011A46AF8D077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.963{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_curl_download.ymlMD5=D97934CE7555F4C4386EB10A270D9644,SHA256=4F8AD080F1F79F778F7DA450967ABECD5190E23487A15EB39CE19F63068BB6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.962{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_csi.ymlMD5=F37108BFB7D3B3BE47D3EE714E013379,SHA256=54B778FE298374125B040E5E5CD6944CD2440FC67FDEBEEFC0D4AF69E982B68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.960{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_csexec.ymlMD5=07C7921BABB306325DC9B322E0B63CFD,SHA256=1A57C0A7A2DB585F32BB7715ED67F138D926FE8548D5254630DADF86A405C316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.959{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cscript_vbs.ymlMD5=EE8E27FDBC0E4111549C62C879AD988E,SHA256=A284342BD594D2674731047ECC1B92284DC062B55726398CCC9A5B7C0E6DB87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.958{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_csc_folder.ymlMD5=41AAE1EAC4FC62BC33DECA11EBCAC82E,SHA256=B7C606A6A07B4313264412C8FD0B0F93835866698A8DEF36A34A8406A79426F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.956{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_csc.ymlMD5=5B2DC4F3ABABCED0D10268B953890BBC,SHA256=712417651517F6272758484FC05C463642D63392134CB57889FB37E3FB5AE561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.955{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_crackmapexec_powershell_obfuscation.ymlMD5=3CE39C7C62BCE7C8BC6ED03654613F24,SHA256=2FE3EE61C7A761486560CE91AC69C4E01D43BAB5085D9C97D12E47D8C4A9DD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.953{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_crackmapexec_flags.ymlMD5=726BD895982C1F42BA0D0BBB57BB288E,SHA256=51D37A3B5278EB574155A048CF3C8B0BC6F4110B2F8E748466DFFDFAD8EA93F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.952{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_crackmapexec_execution.ymlMD5=8D613FD70269E1FDB0C560B9BBCB9909,SHA256=BDC93D7A254A3188EFBF1BE4C67AC911AD77AD01B3AE3802E1A8AA8E76E535D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.951{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_covenant.ymlMD5=39006EFA21154ED314C2D3049553240E,SHA256=D59E12A7F6AC7CA3D25A5487B54363150694057CFC8DA42C41CDCB7866A7F1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.950{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_copy_system32.ymlMD5=F6B0E1362891E09AB9D9618C7B6665FA,SHA256=96211668A756A4F5CF570DEA479D7C87A4AEE36F19E2C576AC9FA1581C357DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.948{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_copy_lateral_movement.ymlMD5=F199A0DAD8E50988F51CB7A2AD38AE05,SHA256=665C8288AA14C7C699AFDD6036B6A76CE6DF1D1AAC35CD74C80968AA99439CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.947{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_control_dll_load.ymlMD5=7C4BA176EC8FEFE846AF558080B3DB00,SHA256=612577CFCC2AFE4155FF81F5E98503894DA98660D91298E4D364DCF385D96740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.945{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_control_cve_2021_40444.ymlMD5=60BF0508ABC9E2EC184D4D99DD25A642,SHA256=CBB3283256386F89A1F1D6BE5570A46FE71CF5DED315ACF04FD55E64CE90989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.944{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_conhost_option.ymlMD5=ED35AA72E66CCF8900AB604B660CDF40,SHA256=9D4C5B1DAB044746C7D36143E69CCE67D75B2643BDB12FE4654812BFBBE3CB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.943{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_conhost.ymlMD5=58472AAA4DBAF18EDE77641C86AB49A4,SHA256=30779D5292EF46F860FF48FD9159822C6264C27871C12F4B1181429D53166D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.941{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_compression_params.ymlMD5=1A49CE1855EAA286A36F766831A5EE41,SHA256=2F380C042C879F8B2E336765A2B2BA44139DE892493B814F322573E6FF6759A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.940{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_commandline_chars.ymlMD5=28ADF8A6786DC8362C622657B9B29BE3,SHA256=A0B5FAD940704EBBA02C4551AC9CE87E533DF5C82BD8098C666CC8CC5C760572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.939{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_command_flag_pattern.ymlMD5=B29CC24E626D7344CC964A5BB107096F,SHA256=2E82710AA93172B5A447D223158FD9C02D731C62E5A9EE632F66430A50B05F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.938{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_codepage_switch.ymlMD5=7A950BE1A8363C86A68CC2C283255B55,SHA256=94DC22B96EFB52F50D8F8D084E3047EDB6358326390E3E175C67EEF59F7A86AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.936{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_codepage_lookup.ymlMD5=B8C522178AE58884519717D5606DAF28,SHA256=B5AF61EFDCFDDCC65B1A1B6763E2B9EDA1FE4F537B7F490C0133D377CA39FBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.935{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cmd_shadowcopy_access.ymlMD5=B5C9F991AA98437F829F04342A1EC6AC,SHA256=37F01D1C6FB41F38C1BBB261AC158ACC660A569C41F1A19E8780B363DC1F0180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.934{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cmd_http_appdata.ymlMD5=A74BF25A58404B382BE0DDDB0D74D202,SHA256=A840D2101F2BBF36D704220C1EFFCA2BE8F1E0427101308178FF55705A00896B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.933{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cmd.ymlMD5=A977E56B9E6490B2B545F57FC6B33925,SHA256=157745417AF17E0F3F03211D3F42612A42853085948EBBAA761D4BE710827471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.931{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_clsid_foldername.ymlMD5=5DFB0A49CEF96506F0BF8EFEF7D1949B,SHA256=2E6C7281C001CC4E2FA6DE8613F4A8EBD51A0E2D535928C8E849CF27C1FD0D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.930{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cli_escape.ymlMD5=520F9A0645AEDFA123BEEA5F2ED2D70B,SHA256=4652EBF464F3C31A64E96B01DB95D5B275AE2088D7786DC7E4589FE1A0C4A0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.929{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_cipher.ymlMD5=F97ACA0D9AC65BD58481BB25D88DC1CB,SHA256=EFC04B6DE9303A22A5D61E5FA025C589449A063A40361E05716C1DE615C53481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.927{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_child_process_as_system_.ymlMD5=C73B0D0E381AAD1D0438BE6FFDCCDA9E,SHA256=82D2BBC54616515EC9B4FC78151EA36586A02CC7BCB5D31F6715119361F85928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.926{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_char_in_cmd.ymlMD5=5F508307B55EA1A9C61E9289FF9819E7,SHA256=84637E16221E1D930E77CE36DBDE0443D102BE9FE5B58A7FE625F399BEE12EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.925{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_certutil_encode.ymlMD5=8D384E9DE08BDA34D994DD1A5DA0AD6A,SHA256=C8E617F1A597B806217502BBD9280064071CEC4B1C3318714AE46A1D93AA834C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.923{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_certutil_command.ymlMD5=E3CF24BAB7737932DC834477A098057F,SHA256=2D647A760CB91BDCC4ABD0B3E720A9D1895594D09F51908B2962C96F991C5BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.922{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_calc.ymlMD5=574163460A89D034617FCDA0DDDC01F0,SHA256=F3B3AD280D50AAD701D9DC5D067B62EA5691632CAEE0EB2262A949E3867A602A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.921{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_builtin_commands_recon.ymlMD5=B8C8E2FD970631A13022237FC5C5157E,SHA256=3D3AFB0EBAEE3431604B8768D85F50DD25953581BD2DC39B6183B48C70C670A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.919{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_bginfo.ymlMD5=BDA9E7667958E0AA89BDD21B0644207B,SHA256=F875E0871F456020511009A9A37E8BCE0E2ED0E438DC20B6259F8D92EAA32295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.918{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_bcdedit.ymlMD5=8F13F32980E093B09B58556A4AAB3CEA,SHA256=BC33E1545729E29C30537AC1446838E59BD4937EF5594FD957D519943488648D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.917{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_base64_load.ymlMD5=EEF23317ED0A56CA3209084986183E18,SHA256=813F161183C35726A3A2523962C3C7F8172FDF5C2C42C4AE68187ABEA516BD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.915{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_athremotefxvgpudisablementcommand.ymlMD5=C20357D65A884548844D3F1E0A63138B,SHA256=B0AD18AD78572BE63250B4C94CB697B7933DE08F7612589FB612211901B1E9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.914{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_appx_execution.ymlMD5=66BFF51128E951223CE054386E9984C4,SHA256=2D644B04EE5E9F59354530C1F46DAAADF4A1723F6DB0562884DAEB43F4033D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.913{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_advancedrun_priv_user.ymlMD5=ED9EF85653294CDDBD8A475BF07B6362,SHA256=AE879E9BF0823E35BAF91D871B35B2B4A39DF1F545A426967C973E5AFCD7E660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.911{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_advancedrun.ymlMD5=D7F1D8B7699C40859383F1DE277FE763,SHA256=31E787999250F408051C60343078874892298843DA286F11EFB64F170ABA3574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.910{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_adidnsdump.ymlMD5=4F5EBB2C95BF6E6FE474C08A476CAC59,SHA256=14D336946A3E2D698DAA0045A1CD007B8DFF09FF8FCD5C9903984A5013C07BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.908{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_adfind_usage.ymlMD5=CEBCB4B39640C85FD3F530E6F8922863,SHA256=3001C4B22204F88858303AEE1FC0897049D05378B7595B4D8B281DFDE6DCAACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.907{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_adfind_enumeration.ymlMD5=965C2DB81B3F14F8E399DF00E475671D,SHA256=5E1020A8A813751006F564FB94349E80370ED93EE40BE63C48B39A7AB7D2FD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.906{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_add_user_remote_desktop.ymlMD5=014B52A809AFC00D9602BAB887D272DA,SHA256=D693B26A7E64798201763E296B705F813773A634FA314E1FBBAC3643BFC161FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.905{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_add_local_admin.ymlMD5=BAF54D3148E034D7BBEEC33C9A377AAB,SHA256=A6EB3A0CFF7D657EF48131F70AFF2CFC5B4634E0BA1005AB0B55CF33095A2C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.903{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_7zip_dmp.ymlMD5=8D102ADCF207EEB0A688F1F0E0A4B676,SHA256=998C7AB898088A973577B6A7A699B5E6EDB18DA2C213EC0BF46CDBEC1C140CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.902{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_7z.ymlMD5=3DCAF693675D9979A76BFE25F596F402,SHA256=50B5BDD92C3CC5F39B0D1BC8ECEABBA69ED3FA2B96E63F68ED165DDD343EE782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.901{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_3proxy_usage.ymlMD5=1F660D558309ABC138C80ABC034FC549,SHA256=E2C88C3B0949D71291C15414A845C73362644F8919DC51362F1E6AE103F538D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.899{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_16bit_application.ymlMD5=BB843C4F55AD89F0BC4CE23245CFCE82,SHA256=5EF39045CC488275D061962AF51A359E5E59EBAD59DBAFEA6C8698E3A443FE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.898{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sus_auditpol_usage.ymlMD5=987AE65358189A303BFB41FAA4664DB7,SHA256=4D9B2B505D849C90AD71DA739E3EB30D8023B78003821527831F51FE092D7DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.896{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_stordiag_execution.ymlMD5=0E63D4905CA3BE6A0DB531252A915A57,SHA256=91AFEAB067541CBC25D2BD6504BCA39BFB0B3D5A9740800F9727BB30D32AFC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.895{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_stickykey_like_backdoor.ymlMD5=CEDF63DFC29BE977CE8F9F34058E18F1,SHA256=B431B077872E216A48582DFC96E510F97F573CCD1ACB3FB1A07D6FB28200615B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.894{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.ymlMD5=8B2989A2FF16A7D3B6FB941CE2657917,SHA256=B7F6E84FF31F1C7A64CBB0CD2AA1534E70111D97C892921830088191C7A2B036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.892{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ssh_rdp_tunneling.ymlMD5=07E9703A6EA6C8D29C04D9453CDF69D4,SHA256=5B6B96A255BC758E5777ACA8D1D826AB87A36A6A45002E1A1D63CE0422C34DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.890{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ssh_port_forward.ymlMD5=3FD1364F6D4970611DF71AD41BC3B4C4,SHA256=B7597D6F349DBCFE5EFF1C501F9A33A0E969465129E700F31F4EFF4DBED96BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.889{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sqlite_firefox_gecko_profile_data.ymlMD5=CD5AB8ADD5DE3C163BAEA19F1316D542,SHA256=0D446EFD57A81C0ECF41313290DC8CF82310764FAEA5FD0B7CC7057FAA724785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.887{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sqlite_chromium_profile_data.ymlMD5=0693E484669EEBD1A6629CC20B82CF77,SHA256=1FF622B866790079458A3236A9C2EA3E5E9403ED864E9693CF22E29410895514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.885{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sqlcmd_veeam_dump.ymlMD5=7E2CA473262561B5FE2F0F88543C933D,SHA256=49B462107E80090EF09133492F467B27E6A5188E647488ED3311B99040CF0B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.883{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_spn_enum.ymlMD5=94969AAD0985C92EA0954C53BC0AE6B1,SHA256=4506720F080F83A440AD136739E8503218A717CF44664C3AC696BF40F12CB0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.882{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_soundrec_audio_capture.ymlMD5=A65A6F4545AF508AE5C4394B0F0F4050,SHA256=C9906C4C568D4FD4DFC3235C85EACB351AC01A73A4B0A8DF10214FB5BAA753D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.880{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_software_discovery.ymlMD5=7EB62ED6B436A5DC3C7DCE9D1017B868,SHA256=7D169AB29D587BDC12439F10AE8E3AF13063204ED2B21924A981AFBEE3E23B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.878{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_silenttrinity_stage_use.ymlMD5=3FE60422F00EFD152C4463CBB027E508,SHA256=A4E18DE7D7F97386371294A8EA76475E3455E7750E06CDCD5E4B3127B52F8ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.877{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shell_spawn_susp_program.ymlMD5=F00326D27144AC8668E0205EF7C3D87C,SHA256=1EF29FCC0CD151387177AEE0D1D697BEC6C069C47C66C57660E70B003A7A5E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.875{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shell_spawn_by_java.ymlMD5=64570CA8AAB1B6668E749B0039C80B2D,SHA256=EF420D99D139219D861E421C32CB9B8E1FA01F4B6C1C684C11790B7426BCC6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.873{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sharpup.ymlMD5=31086B2B0F8EFDA18B15A6729880822B,SHA256=1B7FD9F03D47A30B1F6A3FA25835FDE68EDA92FE899BE78EE2B3FC7612C2E7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.871{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sharp_ldap_monitor.ymlMD5=823F33E1DA4E242F3FF2F6BDE7946AF9,SHA256=1FEADDF480556BBC8625A3B9A83737246317169D8FDCA6AEDCA6B3F9619158C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.869{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sharp_impersonation_tool.ymlMD5=B5E4FB2AA7BF2CB37D941C9685F8B174,SHA256=15FE61B9D13E87626D70549519641B14305F127CD2B205B04AFBD3556CE33843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.868{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sharp_chisel_usage.ymlMD5=A55319FE6C83D4FFE0F6CC3B2BF5AC89,SHA256=6B464B41ED8E9F1DDD2C8B836E70C26BAC4BEC7C92CF5EE65D7A6BD18A21EA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.866{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shadowcopy_deletion_via_powershell.ymlMD5=3301AE8173FA752621D33B95D1B08D0F,SHA256=CC7E8A64ED514CC78A21BF076D54F09C789D5CD6C6685E5ED8C342C8B1A26C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.864{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shadow_copies_deletion.ymlMD5=CD7D252281F1B7909ACFB562CD802A16,SHA256=35C5591D6D6E6D639877108612C6FE599EADA2506E796AFB7715A956D7F8D0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.862{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shadow_copies_creation.ymlMD5=BB1730F8C3368DF2FA2144304F8AE6A9,SHA256=CFD7DBEDAECE8B459AF5CBB571529A3B9A574CD24F51A2ABEB50A31FCB33F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.860{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_shadow_copies_access_symlink.ymlMD5=E0333143D0933F6AD7C575A70BA384EE,SHA256=41BF6170C8921F848F4FA621D91615E9CF788EDFBC5CC320A5AE0D2EC3A4F4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.858{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_set_unsecure_powershell_policy.ymlMD5=A5B39EE1E6C72E04005494D565D1ADC2,SHA256=FD5D5349FBAD7E8B2884EEDEB4614155D7363BB07BE599DCCAE65C7399065A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.857{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_set_policies_to_unsecure_level.ymlMD5=2FF1EE4A341CEB600E10F815073AF341,SHA256=3A8062ED3CBC9C7F142749667E76691DC058545C3DFCB3A20F26B33C6E099982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.855{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_service_stop.ymlMD5=0653B48940F61CB101785FA1A298B4CB,SHA256=DF74FE1510A680370A39145DFF727CB47A54346936D334DA72D52972CE5DA251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.854{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_service_execution.ymlMD5=7A80E65FAE5872E8D33722BC2FBA96AB,SHA256=D38BC73D9E7AAC33A8E53EB0A9D6DC6D7EBF0F70A81BDA125B11B77BA5539E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.853{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_selectmyparent.ymlMD5=8D9E688EF70CEBB31BCF2034B98E6E22,SHA256=30E781573826C75A9F7B90315FD383E975FAE98A950D107C9F787BC96BD376A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.851{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sdiagnhost_susp_child.ymlMD5=A0FF88F8EEFC9903F097394CAF7ADD34,SHA256=35BA050BF6F7D76AD4AD94F7C012943AB13D6175C6AEBE256533D80ED7D2920E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.850{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sdelete.ymlMD5=399300889312013A5C80AE8B36EA1A0B,SHA256=8005A0BBD366FEFAC2DAC00453A87A5CC9818BDFBE1092A4CBAA76B7458C1C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.849{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sdclt_child_process.ymlMD5=B083B363C8B8FDAE2539F352410BB774,SHA256=8DA08181A9CB4244C20E6D50747F98AFE8D5FB06F17A27A7FB66E706CAE5D413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.847{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sdbinst_shim_persistence.ymlMD5=7297CD91924DF65130826E387BE6739A,SHA256=C4BECE2844E3D4E37FC34D5D53E55197C7A17FB8D87877949484FA938B5779F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.846{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_script_event_consumer_spawn.ymlMD5=24DA505E5A2F4C7B83ED9CEC3300C239,SHA256=1DD08EBA2CA01C6ABA09D77223A3C0C6D35BE53FFB0A14FFFE01B87ABD7E844A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.845{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_screenconnect_anomaly.ymlMD5=69BF9EB8872CD9895F389879853E7D66,SHA256=2613FCA521D60AB817846EDBFBDE0FB67BB642F4CF04906FD04940CC5B483869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.843{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_screenconnect.ymlMD5=C43B486C567A83F681F652BBCB92B7FF,SHA256=6DCB664C301AEC420269E3B5DA6F302D7E2DFDD407A7E4D86F40B5A2EA643E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.842{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_schtasks_system.ymlMD5=AFEAED5EB53B55172B5B2A7F336850B6,SHA256=87B60BBD19813A1B9493BBECC8D22977BBBDAA99D284D0DAD1445BF846567707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.840{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_schtasks_reg_loader.ymlMD5=B222E86F4FE240D8836A28C39C6352B6,SHA256=E6DD50E79AB43B2CDEE0BD328C286D1706704749C1B9F65B7B31411F643B2D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.839{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_schtasks_powershell_windowsapps_execution.ymlMD5=6F09FE0EE1C6C2F2723FDE4C7578F3D4,SHA256=E66C9EC3BC0DCFA2E64BB881D865FFA4ED506BE62D8FCF064E0F0A3BE1CFFE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.837{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_schtasks_once_0000.ymlMD5=664F11219DB015E14D9C0063A91DA4DF,SHA256=418394C1E5DAF74C77205612B26DA555E869375E1D7717AB12884C404CB00D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.836{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_schtasks_appdata_local_system.ymlMD5=E3360BD2530F9FF0225024B9FDEFB220,SHA256=80D176168EA0257915725327D1EC25A19904B99D99F9C1E2371215DFF437C361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.834{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sc_query.ymlMD5=2EF124C441750EE152B2C2235709833B,SHA256=F0B292DB91BA495001D1185A199AA228750927F4E6D433E748019FD16FE0107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.833{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sc_delete_av_services.ymlMD5=2C674CA3E4DAE369F4F7288A580E8FD7,SHA256=FB98630DDE53979D75F1E660D17CF4961322EA70A5B1D7D3080688C72C323305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.832{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rundll32_without_parameters.ymlMD5=E9BAF0CB2936CA6CD9A63643F0DC23E3,SHA256=A3AD2A708D28883FC6070CCA3EA8ED64A1259660CAF050A680B43835B2B958AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.830{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rundll32_registered_com_objects.ymlMD5=BBBC885CD78EF78A2D524B1F07F339D8,SHA256=0C03473801C92E6D4C83080471AAB02FE6DA26F30D21708BFAEB408E7FB11EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.829{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rundll32_parent_explorer.ymlMD5=B4A21ACA42FACD778261A77D58957108,SHA256=873D33A9742602AD9C08DAE3A4B8227392491D12BA4CA78A72CF8782EA862982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.827{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_run_virtualbox.ymlMD5=C8363BBB6D08729ADF355BD17A53AA3B,SHA256=9B1B7B6469603D0FAC4E533CCF957C2489F1D1B4BAC4A0FD0F8003FC3516DFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.826{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_run_powershell_script_from_input_stream.ymlMD5=8D4A6DA0828846031366FFE788989667,SHA256=7139EFD3DA2FCE296BA369B0D45B7A0052EBB7885B429A04F59F6D9072D98E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.824{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_run_powershell_script_from_ads.ymlMD5=24CD2DD00AA0AE992A22DBC301B93158,SHA256=107B8FB52F17D8C47F6B61E7589E8326D80F3772268549D19D15A7FB2F6675CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.823{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_run_from_zip.ymlMD5=E90859B7A63B3320EFE7451D09B5732C,SHA256=687BD6A64EDC7ED58A7A6A44F6B48BE08A54B3EB1BCD2AB3D7D18FEEF0A6141F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.821{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ruby_inline_command_execution.ymlMD5=2361BA48EF4B3BFDA95F76D0915BC9E8,SHA256=AA7DBA56F42F687D44D9A81EB4C7D286759B29B89F5792318FE39F23E09FF657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.819{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rpcss_anomalies.ymlMD5=1B1E4E292A2779DA2909E75BBC5C23B2,SHA256=4BDAA0011499376BFB4546EDFA39E6D946A150B1A4AC5FFD09BC4EC9C5BEE31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.818{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_root_certificate_installed.ymlMD5=E98024B2CFC69869437DC9AECA40FA5C,SHA256=2AA418F1BE14F40C1555523932328D4BD5F1E8F7FF78FADCBA14571D15333FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.200{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rhadamanthys_dll_launch.ymlMD5=D7240265AF6098BED6270C2AB0CBD6C9,SHA256=BD224416E7C8E9A67341225EFDA07E388134DE29C60E2444DB62FE408970D01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.192{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_whoami.ymlMD5=D07466272F5AAD6D17735D8B61FB62F2,SHA256=762F92F520904AA6434F8B4A977213D7B5B8235FE22CA2F6FF23434D15D969EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.191{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_vmnat.ymlMD5=AE0BDB461EEBD9B57C2E9FDEF8624E08,SHA256=0BB6A128694EEBFF88C1AF9B060A38F361EA1FC3F6AAE098126E637C8AF63FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.181{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_sdelete.ymlMD5=96950CE1E1EABE9378B027B2DD9AF49D,SHA256=F3B02D51978AA85CCE6C3B5DA8D0F0424DD2E3FEA16A06EA20B58FD2A19699DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.167{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_rurat.ymlMD5=3B75251406AB9F3E79085055935EE900,SHA256=620C78406FDBCA2DCDAA69F622758D6E388570EE2678549FDB6B04B98D78FC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.166{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_rundll32_dllregisterserver.ymlMD5=A3D15C8FE6E95D2CDFAACA3EAF089201,SHA256=E34C9B1FB6266DEF5A705244308F81ECC5D6C3C8D2626A9758B626C7FB7DE185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.164{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_procdump.ymlMD5=F535D1697CD333E8B8C3DB737E630855,SHA256=3B945E25580FC8341638F016193F572EC63C97EA5494EF611B3AF602CCDCAC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.163{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_plink.ymlMD5=E5EDB58C754A874117318AE16E1934DD,SHA256=23F37C1F6AE2F83D0B908EC23EFD4170D5FA451C5B9843DA964D5627A18B40AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.162{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_paexec.ymlMD5=50545A16D2ADD0B1C9C84CA51B392F95,SHA256=D551D9F4D2A96AC67065B3661DF48E3FE8F46D80461AE2FFBD35AC1C577CD335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.160{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_office_processes.ymlMD5=EDBE12275E7AE65A2DE1246B4AB3C8ED,SHA256=3F45B7FEE11EF2A98CA31FF0C1C1A0684483071F4EE45EC8592AD605D2919F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.159{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_netsupport_rat.ymlMD5=296271D594586B8F6BDE2D5AAF05202A,SHA256=35BFB40B17355C9D750F6EA2BE1701D5F32525710F2AFFC93786F3C6DC352319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.158{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_msdt.ymlMD5=4266FA6D55C8DD3E6A79C12DA1EEACF9,SHA256=80B118D0F67E423EE5ECDEB3EB507EBE4330888114A40461CA0ADD185D76515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.157{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_megasync.ymlMD5=D91EFA20473B3EAF0CACCB8771544F48,SHA256=6A78BB9E541F103F1FF2DE3BBEE681371F7A550562FEC4963FD19C267EB5AB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.155{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_mavinject.ymlMD5=30E9AD0C1D16B855F0A49BC513B7435E,SHA256=E099758CD62D0BF3EA0968C7153208BD31C4641596F75D9731745F7A8972DA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.154{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_jusched.ymlMD5=FEB0D69020A843AA31BAF003E0935A6F,SHA256=2241AACEF8AE5A61BFAB92062DAE3A06A646C6F7E9B9E8F2C09826506A6B894B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.153{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_ftp.ymlMD5=D0B45493A289695888CA0427B94A9867,SHA256=316A5215F0C60ACBF65DF7C990668C86A68BB294B7E40487D470C3BECA6D25FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.151{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_browsercore.ymlMD5=44597A5D374B3ABE66A1E0CF8009A64F,SHA256=915B8BA5901C32AEA286B680EC60F43E33EF32C4274AF9E291DBEB178F5C567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.150{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_binary_highly_relevant.ymlMD5=4689879462E08EF6FF027169BC801EEA,SHA256=B5604A33D9908B6B7ED271C2AC574EAF35B90F63C326B29FF7B7E7BC7F6A5F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.149{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_renamed_binary.ymlMD5=30A87DA0A471F9647A6298776F4A8418,SHA256=031F536C7AC4A8F2C83A8EFFE8ACAC3F0507CF82F9C840C4CB7C9B167B8C7AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.147{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_remove_windows_defender_definition_files.ymlMD5=B6867E2CBFE9BFE07E0BD262F306903D,SHA256=68B86AA4A819B0FA3E7AD4E7750001EAA0978D1F159C28E2BD7804AA7BCF38C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.146{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_remote_time_discovery.ymlMD5=637F319E0A8AA97EACF3DCE5ED790DCB,SHA256=247C8CD3A7CBD3F944FE48FC0AD270B7100DD340B2F154A7E089099F883CE1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.145{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_remote_powershell_session_process.ymlMD5=608E0C59BBB9096C7A7CCEC610C3E6C9,SHA256=35675CBD96A6BBC56855A20640CFAE862319C4EBD6190238817B4FF387756AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.140{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_remote_file_download_desktopimgdownldr.ymlMD5=5259734577FA58D7A8A9E13856901D39,SHA256=B13F63BBAB099FC324BAD2544F68CCF954D1824AF53733B6F3AE9FDAF9263B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.137{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_remote_desktop_tunneling.ymlMD5=98CDD767F89D638BB1EBC5D1397EFEE4,SHA256=45BC8DA166A7A936940C8AD4EFB323F7773883E24756651868374620E26DC16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.129{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regini_ads.ymlMD5=A8BA3756AD921044EDC80B0A109639E9,SHA256=5B003D68F061F4534CF6612A229148694E5700F063E42FB44FAE968A93C4E5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.124{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regini.ymlMD5=03208F541CFE43F469F840B398F1806B,SHA256=4603C55D554AC264F566F89F2BC518D801EC7D973790FE284960E9BE7FA2E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.123{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regedit_import_keys_ads.ymlMD5=669E68380329B035488B2B932EBE6BC2,SHA256=4F32B9ACDF2EFEFDEACA1F326AB22ADB46E14AE9FFAFB4339D336EC291FEC37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.121{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regedit_import_keys.ymlMD5=574CC7CA4EE8F82D79924F47F59783E8,SHA256=C63D773AF0984513F4DE1CA6167F1A282B64AA4B80FBD62FAC8A9654EF9EB69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.120{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regedit_export_keys.ymlMD5=CC511515E538A3F97773932530965893,SHA256=8C961607EB938D41CD1DD946AE3074D68FFFDF3BCF3E8F7539E9E5B3C633B8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.119{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_regedit_export_critical_keys.ymlMD5=312B22A2FBC8BDA14A1C4ED3086DA193,SHA256=C9889A1E1AF6D4B3AA1E724314E880EB734EF586E224B953D5E0B4AFD77A3143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.117{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_service_imagepath_change.ymlMD5=6973C3B14D6163010DCE5B4B4C48CEA0,SHA256=4753126F00BBDC1626F7CE88BBB5128E36B537985557FC14AEEC2B823366226C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.116{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_lsa_ppl_protection_disabled.ymlMD5=622AA0D93C044E017799F3955156219E,SHA256=065B362C9CE288914DE36F0F94D1FD0338992641BC4DD4FF4842B4FC0DB1ABDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.115{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_import_from_suspicious_paths.ymlMD5=E4A583A0D7C295219EB55653C78C056C,SHA256=1B9945DA69A92C1E3428A2FEB038FB9081F15B5A7F3F4F642A6CB5F47EE25BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.111{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_enable_rdp.ymlMD5=7E02A39A63CE9CD1741CBFF3BB1F89EA,SHA256=05FE797DE792E3AB55DFFE958AB0F43267E993A2499F16B912AF89284815388D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.110{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_dump_sam.ymlMD5=34B1E44E3018DF2631752EB4AC183F86,SHA256=BE80A42CAF10E86896DC07A12EABC8F402C3BC824323322167B7D787C1C248B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.109{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_delete_services.ymlMD5=F7F65A08977E86E9E376282FE2239947,SHA256=9D0F5F06B668AB0D0179CB79808085CD236EE9316D2122FC65C8CB2CC031BDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.106{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_delete_safeboot.ymlMD5=0EBFC23A87C23FFE8A83582536D3DC7A,SHA256=EAD8A88BF22DE156E4B9C3E26C724892B55374722C43073D4BA44F39BCED2EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.104{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_defender_tampering.ymlMD5=119788EBED3F15CB50A7B401C90DDC63,SHA256=545D495B41F54606EA6B1BC4570C99A2A43ACD7F3B974C3508BDE6CA9BB57CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.103{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_defender_exclusion.ymlMD5=A3714FBBAD0B18524FD69FABE410E390,SHA256=9C480B7B42F3E0114B220775E9370D940412D0DFD555BD9702A262FD0502862F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.102{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_add_safeboot.ymlMD5=A52164413C55E585A5357C098710ABEA,SHA256=E8431D6BC42F880B032C030BC7C737D250F3EBA59595CDB22C5FEA4457265AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.100{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_reg_add_run_key.ymlMD5=639002B8A20EB22362B0298F98FD4C07,SHA256=6EA1B1B53F42D140F7F8BB9E4B4DA217FD5DC8B545135B7313510AAF478D5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.095{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_redmimicry_winnti_proc.ymlMD5=4BA3435C5AF61AF2E7E2AC87311735EA,SHA256=9336B4D911DEB5BC8918532FB55CF8A3EDD56137E4380B5C3621BC5455498982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.093{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_redirect_to_stream.ymlMD5=457EA301B4A69679F642B602C818370C,SHA256=8FD342B9BA398DCB3FCCBC3A0DF30CE33E1278AFE1963E05BED1AA472FBFB216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.091{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_redirect_local_admin_share.ymlMD5=63245757892AAFBD84934B201AA9C6C7,SHA256=60BF8630C80174D85600C965DBADBFEBE41F11B11A979DD93985C51D7DCBCAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.090{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rdp_session_hijacking.ymlMD5=87E7FED164986C122F08293649327DD7,SHA256=4DCF9C78B580EA5BC6BB39C3E925049A4D0FF22DEFD74E2879E2C9C3BB88A595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.089{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rdp_hijack_shadowing.ymlMD5=D476B1258A864ABF02726BDFFED810BD,SHA256=296055B9866B3DE43BD82D58D8B8B2A22667FF7B4D0737B84FE9D563DAB9D2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.087{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_raspberry_robin_single_dot_ending_file.ymlMD5=C62A39FD10128AEBF4183810930FE47E,SHA256=2B8C96CA66FDAE4B7B2B0DC6AE6D8A6016909F7B6810417A24E395BEC6DF4074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.086{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_rar_susp_greedy.ymlMD5=20AC3E88567185DABBC6767E417BDC54,SHA256=06B72A097582E7B708713F68D2661E3A729CD4085A107E2E7F6B4BB59B24E3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.084{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ransom_blackbyte.ymlMD5=7F48BBAA1185BF46EECC0D77537F1D6E,SHA256=4D2149CAB1BA9684F2BC441D695356B68BAF460680BF9732814295FA9B7E7B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.083{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_query_session_exfil.ymlMD5=C56D78CB9E817DD301D8031AC33999DD,SHA256=48968E4930CF5B989638D09780240699EAB60F3373447C6F3CE441CA0A95B682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.081{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_query_registry.ymlMD5=F8D842EFB4E5959138448B7E91CAB0F9,SHA256=27F1F2DC9449240D9D8425F702F13FF209B61A02FB073B5B27844A63DC0C071E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.080{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_quarks_pwdump.ymlMD5=84B3C5D137915B4D828936FE4CF9E7EC,SHA256=DE00CBE7AAFDBDFF6AA4AE4B2132DA1FDF3F77B45AF837B9789A4BB4E7524BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.078{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_python_pty_spawn.ymlMD5=9567349252001FFEEB5CC1D43A27BB8B,SHA256=62C21ACCF9F8043A0C658B169C8AE8A40EF5D564A05907B4C869FC585FCD2BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.077{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_python_inline_command_execution.ymlMD5=DF9C0798A136EEDC5537664B54BB1A67,SHA256=27521C526F1A0289EB71AF06A1B26FF40DB905156368DCBAFA774F12A6560390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.076{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pypykatz.ymlMD5=34A3D3F4CF0F59A866388705B5F4B72D,SHA256=C95DFE128102FBF5E39F68E7276FDF87CEE5F46EE94BA366AD6707CBD803FF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.074{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_purplesharp_indicators.ymlMD5=4C408B4D77FFD047285B534478814869,SHA256=C64023D9DF4880EED83AB2DD3513D598F70A4605E90CB6FF821EC75737523176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.073{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_public_folder_parent.ymlMD5=3F48EFE799E3A6F7C9650BA43CF3929E,SHA256=1E43EF86307CD87827F66F59DD5565DAF618A61F29BDF2EF5C35E67575FC5AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.072{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pua_seatbelt.ymlMD5=D9AD86E07617AEC0D47386606337DCE0,SHA256=B15CE002E9D0DFB15060B8299B383A0AE86CA0550862A277535DF4D28282737C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.070{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pua_defendercheck.ymlMD5=E96C97CE889F760E5B9D8DFD35B5B5B0,SHA256=5A2A6F3B34058180258629FA81093F7BDCB45313CFE78212F4395412D5652574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.069{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_psh_amsi_bypass_pattern_nov22.ymlMD5=D8E764641AD453F91A70FA2050E501AA,SHA256=E2D01DDDB2CC3642637A6AC013BBF14E2B1BDFADA293277EFE8F781591249F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.068{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_psexesvc_start.ymlMD5=E5551A2F8391E7D77DC0F43EE8A3E192,SHA256=0DF3259823F313179CC16A262C1AAFDAD023C2A6D98117810DD8DB54D80E9499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.067{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ps_exec_data_file.ymlMD5=678F8668D883B598CCBDEE131CD45DE0,SHA256=223C5DFBAC4CED5BCD581CE8CFFD240E333BEB6B4C177EEBEA5FF890D674A80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.066{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ps_download_com_cradles.ymlMD5=08854CF93AF387C5C30D7027B569D081,SHA256=8DCE9667FEF238815BB6A47A2250FC71A6A46B4ACD240FBE7183BE4FE25D068F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.064{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proxy_execution_wuauclt.ymlMD5=BCFFF04141D35FC420469056003B45E0,SHA256=0BEA3C59726C575E0F058C0E911B454DFE8CB5F61762DCB22EB186093FB3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.063{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_process_dump_rundll32_comsvcs.ymlMD5=418A283CDD9F25270CCDD5144119148D,SHA256=37DED14C92C227EF04B1D4B9F660ED57ED6BE47774F70D334FF58CB6C4F59B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.062{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_process_dump_rdrleakdiag.ymlMD5=A2C6CD0834045864CDA9EC8C33B0D8F5,SHA256=083E0BAADB8B6C45EA74F324E0B15F130C9505C1A5206544018BDD137C6B0984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.060{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_procdump_evasion.ymlMD5=497BD41F15755BD3335932C41633BB68,SHA256=AC413BF0F71509E32B4B0634D39B3B865B251EDAEA3048633E9503AD291F146E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.059{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_procdump.ymlMD5=B9ED205A526DC6FCED71FE388A87903A,SHA256=3DA6A761B6016AE69167DFE77F9033234C0D556B13F5EAE4721EA399A7C82231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.058{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proc_wrong_parent.ymlMD5=8F0AC0CEEC90FC6506E59DB5235664B8,SHA256=076255B3AAC7AD5632333175411757AA3C03B5167E7CE6C6934E139B084C9925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.057{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proc_dump_susp_dumpminitool.ymlMD5=12845A19908B8E5DA5A815658CBFA0FF,SHA256=5D94F4F1EE6551161BF25A716698708BC5D520C1872E598D856504A0CFED59DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.055{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proc_dump_rdrleakdiag.ymlMD5=99A3A4817E92C870696DB75532BF18EF,SHA256=99400902608945955AFC776F4F2AACDE4BD2E3C073D7424828D3356945B1B582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.054{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proc_dump_dumpminitool.ymlMD5=84BFE89D81B6ED494EB34E0306BCEC85,SHA256=1CB9B377ECC7E41CDB414C2DE0602FADB1AFF0145E35211E228372E184DD66F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.053{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_proc_dump_createdump.ymlMD5=CEEAF389F901DA7CC8C97DDAA9FEE2AC,SHA256=A6B43AD39A81CA066FA4A602A087CEE32779D1F5AC9AA35FE4B3F513F5A1AA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.052{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_priv_escalation_via_named_pipe.ymlMD5=79DFC2D29B72C97976CCCBD5EC61543F,SHA256=25842CE90078BCB4B99DC4321EE2BA50306F2D11AF5BE2DEAE9AE5F232BA35E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.050{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powertool_execution.ymlMD5=5F56D177ED48AC54BF1AE7806F5EE1D5,SHA256=D415D48055236E88B01F42049FC034C61AF08DA85BA30E2D864B1B18877C4FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.049{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powersploit_empire_schtasks.ymlMD5=00084B9A0D7A3E563ED2703A9A84E94F,SHA256=9E6164D8ED8C3EF8FDA084C5124F953EE67DA88BD91DE48896A786965F013B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.048{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_xor_commandline.ymlMD5=582C1BDD84839F5EEBD20B10D63EDBFA,SHA256=107CBDA84CADFB37ACD660AAB8709965C0359E57A2609AC5F03E5D6163D4FE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.046{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_token_obfuscation.ymlMD5=1A6B32D3A49F558F4AC5AB5DB0256C02,SHA256=C511A274A2DCAC7E3036F7F13F46F5A0EEDE34914043EA845525D0B5896ADEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.045{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_susp_parameter_variation.ymlMD5=1272A1AD106CA76184D878DFF2941561,SHA256=571624B74DDD951E2AA42711A503E3059F351609372ACBF749687C63CCC96075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.044{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_susp_download_patterns.ymlMD5=2F4095650D466AB55766FD0EE51A33AE,SHA256=2ACC4863027A9CB116617AF8E8ED708E95ECA13555A07CC2FECB20A4DDE8D53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.042{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_snapins_hafnium.ymlMD5=97A4B258F17311694018002026AD2530,SHA256=BDE85F71371BB93D35C6B49CACECA54745D39F10D5BE7E37FD2CFF3E01B88299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.041{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_reverse_shell_connection.ymlMD5=3CFD3F37B5EA97DECC27E0CA8780C889,SHA256=F9CA73D4DF1DDE62DBD1462A916058B2F658B2E2DC3F07F8C1A4E7D915E19E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.040{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_public_folder.ymlMD5=F5CEEF4085AE8AC3E9F5DF4AFC4340B2,SHA256=76D32125B87B3BD9D4E6C27D3F63FB63153D1BB89C6FF18BBC71D103B1050895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.038{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_get_clipboard.ymlMD5=556FC02F124546723BDAAE5690592F49,SHA256=5D8BD11E525473CB234FABA18485CB22554461F289CE83000F435F31F7838FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.037{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_frombase64string.ymlMD5=CD1F0C44C10A4BC8F0E5E6134C7F206A,SHA256=8429838D1718610CA19A842DD638B3227BE2AF38DD1F83F4C159AAE6757EDCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.036{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_encoding_patterns.ymlMD5=6F59719D7927E7EA759AA1FDCBE545C3,SHA256=6150B6491672EBE524974C55C80AA6D19A501C4BD9B5E051988652B47E565059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.034{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_download_patterns.ymlMD5=06C5CD9D9C168AA6E5B119A737686227,SHA256=437719A6FD7697AA3F04AF11591B94ADD41C9D7AEE41837E06D4BCCB34B95F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.033{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_downgrade_attack.ymlMD5=A11461534822DE99CD9173FAA0E78700,SHA256=8545EC7F143DF38BA5494C4D25F5C2E26A1D1A9ACD74F0C0CAE8D77D03DD95B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.032{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_dll_execution.ymlMD5=2929E89C44204A0967C5B6596BBBFD4C,SHA256=36398AEE4AC2C915583413433053B61D65C79DBDFDF8A96C4971708077CD36FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.030{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_defender_exclusion.ymlMD5=D6823CF0724E905D411F2B5EC5706708,SHA256=AD3F83C754C7366F603CA81E2A7BEEECBC36D616072AE6509E5432F3A68A200A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.029{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_defender_disable_feature.ymlMD5=93C77BDCB3FE1317FC4D2301C01D1297,SHA256=CF360709778331CA30AA6D46AF6224F0751ADF99F9104269F54DD2B6202592F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.027{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_cmdline_special_characters.ymlMD5=486C00E81A24ED175C9CE08E749BC12D,SHA256=9E7A2C57C572789DCBC0406B02B9AD9FFBF55618FE7A48ED601E46EC3EA8A354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.026{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_cmdline_reversed_strings.ymlMD5=C463D2D905DA0F2B76EBD9F456FE3BDC,SHA256=C6C946A4A9AC1F0E9896CFBBBE9858BDDE4A14411F0CAC15CA0281F4B692CDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.025{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_cmdline_convertto_securestring.ymlMD5=7D0710BBBB2CE92F29E1394D7FAF218B,SHA256=D69BCCA407D0EE0DA76644D35B49110A9171B49D9B09ABE316621CF0B5C1FC80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.023{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_wmi_classes.ymlMD5=2DFC2933B62E374311AC94752BDC5D47,SHA256=E21B1FCF1B4565E2788B4FBE68F4E71973EBE138C69476D319D00A2714A47F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.022{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_shellcode.ymlMD5=D27878B9E4BE84C48737F4DE72AAB61D,SHA256=AB07EB6762DA59FE3E095A94043A00A373B15B01E61BF40289A886EF9FC2E16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.020{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_reflective_assembly_load.ymlMD5=811BF3431E258D1597FF19DA73369AA9,SHA256=DF79C300C125D2D98EDCBE01CA3C4F1CAE6E18F3C75E93A97F4586ADC2CCE146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.019{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_mppreference.ymlMD5=555636E0ECF49D6276C36170E248F166,SHA256=21D0DFF7014864D1FED1E9EB76073F406479248D20DCE9DC1605027CC1174E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.018{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_invoke.ymlMD5=4CCB4AF5B20989293984AFCE7566EE15,SHA256=5FFE639264AFF015C5BA9E25F9049C9B19ADA4A8CA12DCD65E845D82CF8A2070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.016{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_iex.ymlMD5=D01AD8E6863837E9AB7670B60163C5FB,SHA256=41BB05E5BE77CC8E447A91065867BF6CE0671A6AC6DB0CBD8C9A190B756C3C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.015{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_base64_frombase64string.ymlMD5=83B22E059E4D4DCD8D53721D83D3A65D,SHA256=7208C51E5F3201F327FAF4C60CB218C166FD8268A92B5409C05ACAD7D63A7120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.013{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_audio_capture.ymlMD5=F571DE2A6F77BCF2EE52E4E144A9325E,SHA256=116062DB8CDC502D9D552D3987C97A44CA753A58A2E3C4AFB541B64289A9ACBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.012{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_amsi_null_bits_bypass.ymlMD5=6A0C80A56719F301F7FC363ACA7B0845,SHA256=28E36B2356A932EB2AEFE4C31FE3E1C124107EBAD6ED012BA6784B59DAC0AE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.010{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_amsi_init_failed_bypass.ymlMD5=7B6084702C30CF7E93EB25ABF2BFA032,SHA256=CEE7D68FAD642F26D98977CCC3898426E748A0229CEF68F3171E362525008ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.009{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_add_windows_capability.ymlMD5=CD754F0B06508BEB3D53575E6C34C345,SHA256=C46B413FF47D68B46EDD37ADC11DCBEDFC4C3BDBB1E7292E3F99AA49547BC46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.008{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_powershell_active_directory_module_dll_import.ymlMD5=F618ECB6BDB32E3F80DFACAFA9DC7532,SHA256=DCB98E2E1AEC6EB202D4C1596E893D95F7D1702C3318BD4324CBAD7E05B70AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.006{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_possible_privilege_escalation_via_service_reg_perm.ymlMD5=A3ED98DD67B8FA9EC06ABDDF072AC45C,SHA256=9E958EB76DCDD0F300D5E71E801EFD889ADBF0B65ED85092FC6AF061AD5BBBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.005{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_plugx_susp_exe_locations.ymlMD5=44B4F18B1783C0698DE3C733721AFB84,SHA256=B845DED45CEC512CF2CB1B4593EB7292FAA6363E658DECD4B6008239E572FDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.003{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_pingback_backdoor.ymlMD5=95A9CBBBFBC6F9266C092C488D94663C,SHA256=22AE86D4299FBBA5C416AA0C4D1E939D64DB29DB7D4C28176C0E987D44EDDDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.002{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_php_inline_command_execution.ymlMD5=9783E14CE19D92418F67A674C6982336,SHA256=3451484734734C8CED0761BFA2B3DF782CF6F086517C6158DB1ED9EA3E19AA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:35.001{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_persistence_typed_paths.ymlMD5=B8C51AA4B1D9A68F742906D8470E2585,SHA256=5023B15346F74C33553763AA8277089F72077922BD6BF426A8698E85FD4A0677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.999{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_perl_inline_command_execution.ymlMD5=A59E9C289725F811AE331C16EE8A3572,SHA256=4CB1712C65FC1CD568E08073C956EEF6DE6EEB9567A222AE299DDDE1ADF2F91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:35.992{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF3D0287CF049C321D0AE2A752DC0E2,SHA256=D30166299F81471C2627287E5715A303D2C4420E2FBB1AB0E41068BB307798ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.245{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_dir.ymlMD5=5A5AF3CE5739FD514B51E0040232CE67,SHA256=44D1FB382ADFCDF1DA067B84348ED973DD6784D755F5F85765237004E1B73DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.244{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_dacl_modification_set_service.ymlMD5=C68369220E9437188E367BFDDA796DD2,SHA256=02152E31DED0B2859AAC24E6E19D10185FB6E4C6B3EEB3BA219E650026950A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.242{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_dacl_modification.ymlMD5=E654CBE22C4A51BF277E14D528D6F0D2,SHA256=E40071FEF2DA64CE290C959E8C8F126DFC8CD6C4B3834B1DE39AB45A46AFF2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.241{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_secedit.ymlMD5=B78936E93AB0AFEEE60C21EDF2F640F5,SHA256=6427A9DF624C5B9D213E3CA2A5652514ADEE2637ABBC2D4B38C5DB95FB34D7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.240{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_script_execution.ymlMD5=B82BFFD686E87CB031BB593798301824,SHA256=B36688618E4E1DD914EE3795A0491F11055E2A3809E99F52B6B86EFB80EE420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.238{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_script_exec_from_temp.ymlMD5=D9413E34EE7FA30C48A1CB4FE82EA18D,SHA256=011313253F66AE2949A10F632B869D9989A3D4150ACA1D6FC29B6EB43AF70688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.237{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_script_exec_from_env_folder.ymlMD5=8BEA03E63D9B7939B612CD84DF3C981E,SHA256=5F10405347A9030D3D5A5217D4893AA246F4E14B4837CA3FE846C4FD9499E56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.235{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_screensaver_reg.ymlMD5=6F7D1F2BCC6870ED0454FC81F504C020,SHA256=17BCCA0D0F53F6B2A41F537B7FEDB58205CFBE4D488D3099DB8EE1122D45D032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.234{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_screenconnect_access.ymlMD5=EE7C69C0E6331A814E529519FD4F6655,SHA256=6F2B8DF1D1A8D1BC073C153CE9264EA1CFBF65285DEA6F5E61939ADCC28F307B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.233{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_user_temp.ymlMD5=49C470B56A8BEBDC7E67439156A80565,SHA256=BAD95C1AE925FC180D7B85BF2996B5E8F524EDC0FB2EDFFADBF06EC024FCF02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.231{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_schedule_type_system.ymlMD5=49CB1F295C2CD040932D0B6CCA73A329,SHA256=BE852A477B239F3B82188E41A622B3620103B9CE9706F21CD906D66767877687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.230{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_schedule_type.ymlMD5=85435D9B2CCEE18C65BC26A1866004E0,SHA256=FC294C4B28266DCDD2F86A93D7D4B729867CC20DEC1AD23D8952EE8C8D62B57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.226{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_pattern.ymlMD5=15BFDEE34263184EFCA7DFA0CED7FC56,SHA256=916CF4E8497452CF365134B3D9BEB56095A28E63A2CD5AB74E0369891C2FBAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.225{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_parent.ymlMD5=72A43DDAEAF93B5354708F98F4046220,SHA256=EDEAF0B3A87F49037556660AECE789FD1C6B21BCDD48ABFB1C2205F930287744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.224{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_folder_combos.ymlMD5=BCA048601572C6BEC446A9BB1F5533BB,SHA256=1190E354990E18BE30181E7EECBCA7E087203BBFD7A3AE7C78F55A16D2600155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.222{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_env_folder.ymlMD5=6E272B7513C327E42F49B3CDC0DD6EA6,SHA256=D964C2C6575FEC11AE4E9885682792366372A6058CC65FD3F5AA68DD136046C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.221{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_disable.ymlMD5=97369A22C4FAF23BBF19D0B737B7617E,SHA256=93E339959C01572B872F6C8D96BBC62C4257CA3710259F0A763E5749E0C6E1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.220{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_delete_all.ymlMD5=E70EE3B9A61D3D1AD324A2FC9CFA8368,SHA256=D55DF323883172CA60D1EE4901978965B783B553153A72C8F7AF97CDF68BE592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.219{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_delete.ymlMD5=C003ACF96676F2E43809138957937654,SHA256=F6AB99DA421A80490D605BA27228E746FE01E4F8E7F55B4BDE3FB2EEBFB280B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.218{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtasks_change.ymlMD5=98084478F0F0D6E7DAE14C7CEB4520F2,SHA256=561FDE69856E7A46CEF96E84DF292FDD0816C9320F1DC3A59E118994FCAA608D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.216{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtask_creation_temp_folder.ymlMD5=62137A726BEE9FEA1CB1716E51C47442,SHA256=D92AABC302981205F8711DBE533AE927ECECE960E9750E7BADA05A82FD894F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.215{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_schtask_creation.ymlMD5=2C6322BDCEEA032FCBF9E3CDE5244B2A,SHA256=CCC9D554AC8CA96C477FE2EA657616127FE2A8FA4667C0BF01B0A7B7312FE7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.214{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rurat_exec_location.ymlMD5=89AF779BEDC68BB80148A573D30C21C3,SHA256=AC098EF55D79D80F9EB44FDA570D7CC8F684EEE19E7DBE2D3CC9D16BBDC72F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.212{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_runscripthelper.ymlMD5=FB5AB29E84924A9D0BAC1EDC277D8FDE,SHA256=3E62C930DD71FC4BFA9AAB4C383874B977E4EDA5528D1B3CA62A0AB24129407C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.211{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_runonce_execution.ymlMD5=56A33F1260F4E7690C9BA5478C5E7C43,SHA256=9295F362B075B43C664B06E6F391B515F0192B411D17992A15D8E54F7577BC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.210{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_user32_dll.ymlMD5=ABDB521B59081D69678FD48F326C9373,SHA256=230241621A8CC9593CAD342204F560255E85E876B132026DFE522EE24CD83052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.208{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_sys.ymlMD5=300DAD2911C5DDA0A538EAE7710402A8,SHA256=112DB57EE25CF84929513D13518DA3BE2F73C5672528A0B9B6A09CEA1FFD5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.207{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_spawn_explorer.ymlMD5=E9B3FFDDC4E41D6C2F4AB5AC2B9DC9A1,SHA256=04A64FB5F936588F2AA3984D5BD5026D8B4331025A9556BD2928EEDAD370E392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.206{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_setupapi_installhinfsection.ymlMD5=455C1C89EA75CC904BB63557C41B98B2,SHA256=9AB478C8CF6A7210641F77A827F4047003DE70D49851E195116A4F4D5868EAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.204{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_script_run.ymlMD5=BB6688088862D10CF99F64A054550FB2,SHA256=8D5C9EE061AB74B5FA2158E1A9C543347223871D83185F8D47F27A8056D79D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.203{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_no_params.ymlMD5=58FF83F67F4C39EC28F7B124400E86BF,SHA256=E7C18DB3882D5A708086928F7039C7BCFB5A53784A34F4123682B60983465BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.202{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_keymgr.ymlMD5=A5BAF9BAD70CD60CF4C3EEB3DEE23622,SHA256=83C69A8A6B9480524BC3887CECCFE3D1F0D5FD81CEFE2A62909EDDF9B8ABC6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.200{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_js_runhtmlapplication.ymlMD5=91CDFDDAAF9A048C4D80E7E81F769CBD,SHA256=91A4AD7CDE1FA939D2340785E98315BDACEA2B404BC60DFB5287D32CB3D6A40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.199{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_inline_vbs.ymlMD5=9578F1573691483AEEE7A4F609927BE6,SHA256=9255838A41B8C4C7DA5BE299B46F2E531F49D8B60D9F529443D19D1512058438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.197{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_by_ordinal.ymlMD5=CAA2F13F8BA0014942E0693492B96283,SHA256=57E69159DAEC84239920C2EF7179AEA027B9CFCBF7EAE0B715067149BD32CBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.196{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rundll32_activity.ymlMD5=3ACBC592D753206512357D426DB3E104,SHA256=0E7BA962E94BBD60C547CDF297E5E73EF972AE4D77C3852CFB94A61BC62F998C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.195{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_run_locations.ymlMD5=E75B64696C81CF18FDD264A60682BFA8,SHA256=3582065568C800C19372560042F7904CB32750AC1552B074AA49C04740B94786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.193{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rpcping.ymlMD5=2E14AD93B63CABF70DEF4D74FBA6F22F,SHA256=5BB9CFE092510CD3A763348BE921C8B128D01AA58D7548F91C4DBCD983FE45EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.192{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_renamed_paexec.ymlMD5=C7A10C49B43CD987B5D54DBE60CBBAB4,SHA256=E30CAEED7DE48A747093A53EDC5BC6943B20464D563765E563E388697EC2EE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.190{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_renamed_debugview.ymlMD5=AFCA26A19A9F9AE9625EB86BDF9CEA7E,SHA256=D690796D78413B4AFB8E5DBB395438145EB7FA00673A9D332A19CE834DCB41A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.188{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_renamed_dctask64.ymlMD5=554ADBE59490AD2402725C88489FBB77,SHA256=5009E3318F0055E5805DBFB955F4BF61C6D869E8CEB532CCF5ED170841AC7C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.187{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_renamed_createdump.ymlMD5=C865499C9F3D01BBD70FF3E1481E2525,SHA256=E04ECA75204FC9B0EAF268DA1B8F7D73423A3B5428CB23CB00BC394C4649B001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.186{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_renamed_adfind.ymlMD5=2A34C100A177471171B29091F6285ED3,SHA256=0BE50A2BDD5E57A1D2749D49281B5AC5531E4744F97F61BEE6220638718EDFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.184{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_spawn_explorer.ymlMD5=422068E2CDE544CEADC5BAD8375A0821,SHA256=BACB50B186788D82685867C673570A889D889A3803D6F2C3E8E5240BCF983FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.183{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_remote_share.ymlMD5=CF75D9AA38D40C96ABCB978016CB6789,SHA256=E9EF44B158E7BBF7A312C3E83BC32A132DC80B1BE020F780ADD8A0714F8328BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.182{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_no_dll.ymlMD5=B8E699C800CD93BEEEE831587B9CCF93,SHA256=B5FF47AFC44E312083CAF9507B07DCDA8FAE42133F85FF402C309373A3814D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.180{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_image.ymlMD5=CD89BF46A6AF4813B73C98D1C12B3576,SHA256=8AB98034A3882B33B19DB5BD87453EAE5B08BE1C36C0665A76B34FE2B0F3A470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.177{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_http_pattern.ymlMD5=E19049272298DD3E50886586D38F7155,SHA256=0B5F638BD161321BE0A6E7813AE0AEDA185861A8A034276DD1A95D65D9616248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.176{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_flags_anomaly.ymlMD5=DE7725B920651CDC57FB0F334EB859E8,SHA256=D0800B7D9E31FED11086B166B3B85B45E4E72707777E10272A2434614DAD3C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.175{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regsvr32_anomalies.ymlMD5=BC9964BC51226411AE7703177B827B95,SHA256=7408DA1B1B5EEBE26BD15BFACB5994B8F1E78B2558EBD4A04ABD7840396B96B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.174{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_registration_via_cscript.ymlMD5=41D143485A35011028AC089714E89ED6,SHA256=4ACC6B7E2B6280ECCF5A7A884AC9A6194D77BC8A0EDF620E97107BAA73109B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.172{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_register_cimprovider.ymlMD5=D068490B2A5AE3D47C6DC70D8A2C5829,SHA256=7B8F7700BA31C6BE711C1D7ECE7B89FA29E200F4575D6C69A7505DD396C90325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.170{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_regedit_trustedinstaller.ymlMD5=774879CFA5C1DDDD289491051FE6575D,SHA256=608E023C5D4DC9368A760FCF3A6BD62C8B949B9639AB8C0CAC0D0D66141AED57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.169{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_reg_open_command.ymlMD5=3C94013A1C797E23D098A638FF5348CE,SHA256=0B1AFB3E00B36395C01FA8B1CBC46AD2EEAF2ECC2694C55CB635D144568C66F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.167{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_reg_disable_sec_services.ymlMD5=2A1719296E0D53180D46DD14FDEFC9E6,SHA256=3C22B5903BDDE9593ED8724A690CBEB9316910318DB7B5577FEAA7C654271597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.166{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_reg_bitlocker.ymlMD5=B7BBB9478B1214B1ED5F902BC8ADF3F1,SHA256=93D81F3E28756EF369E60716FB80B3F0DC1B58611FBBF88058CA614965C60C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.164{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_reg_add.ymlMD5=356E9CD6607D697EF3835AF93271BEF6,SHA256=EB676156651DB76EB4CB5DE2D198322BAC4C1BC6FC1BAE9E945D0E1768936484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.162{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_recon_network_activity.ymlMD5=E8BA308EF9AFA5EE2733008F2D5CBF85,SHA256=C37E3D8EA8C9664CF96203AC19157F5ED9A3C7079D55CE85325144ECF33D4626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.161{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_recon.ymlMD5=29C09A03BAA1E9939D329E1EC8EBAD14,SHA256=034034466BC5A2422C4EB2CCF4881C02C23AA0565FAB084A2299647593EE644D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.160{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rclone_execution.ymlMD5=E75B487A35CCD9532566A02279B31D81,SHA256=864FAF84574C072878E2398715B288A8AECF35E0DEDF3D59D84C5431E4186BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.158{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rcedit_execution.ymlMD5=6697216DF78FDE474D76B0394CEA9CA5,SHA256=965924DB2FB143670A270EBA3A8612B70095959661D83F995F8D79FAA3EF64EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.157{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_razorinstaller_explorer.ymlMD5=9E54C19DF877865A5821B5B5E43B49A4,SHA256=C9947263871021834EC01C348AD0E601F2C9EBD6251C8F71927E2B19B6882C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.156{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rasdial_activity.ymlMD5=DC923785FBAA39D3CD7ED1F457E306EA,SHA256=43BF3AE6897B044ECBF891F657CA1C9B79C6279B4770464AF76B3ABD729CCF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.154{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_rar_flags.ymlMD5=481E490AB17D973E1579F8AE05ACED58,SHA256=B052CB83A8D497C0D2080442D35FB8F3AC61836335CD887A9442DE4332D63BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.153{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_radmin.ymlMD5=432A80410C7EC4E47EBBF64159A67BF9,SHA256=BF3F5307AEF6D16045B9EA48C326E6C21C3433BFFC5EF7A990D02165CE42D006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.151{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psr_capture_screenshots.ymlMD5=4AB91A304ED367B43E3766E24DE0AA0F,SHA256=9189AEA3E6223CF9648BB2A602D1325537287A5D66D5963C008B11E70070446C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.150{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psloglist.ymlMD5=4510D3D762E77EE907DE57F5A339EC4F,SHA256=619CF9011AB96BB13EDFCE4B3D7EA783BDC0C2214D8D1A8481618BACC98A6CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.148{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexex_paexec_flags.ymlMD5=D9323BD323236A4940C79B14B37ADE03,SHA256=8067B69B226E007A344D0896057DE9D89BF5FF39818C17EEF774AD7C0DDAC7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.145{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexex_paexec_escalate_system.ymlMD5=44711F0AD6089732F8D378C3539EC646,SHA256=87B77EE4075EC05ABC7FED8361663E767671791F4969A51B8AC10EAAE84F5914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.144{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexesvc_renamed.ymlMD5=310298D4A5B4FC9CCF07B434BF0120F6,SHA256=58E13A1DACC2C890226EA194F3A58EFFD66661255C84CBAE3F4D9F8CBBEE11A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.142{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexesvc_as_system.ymlMD5=D8FE255965901CC7D7CB8C03B2E2756F,SHA256=4197CAD69C8B1606D242DDF6B0E8047BCC1AB39B376DD1C4747C41452DFD70E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.140{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexesvc.ymlMD5=9FE7166ED0A6754BA174D9A8E38FA5C6,SHA256=5309E3B32F05BE89103D7ADE7BD07A60E1BBEF8A875020D291757576A6182DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.139{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_psexec_eula.ymlMD5=0ACDAE2189262E1D1061FBDDD9096573,SHA256=768A2892A9BA563D244A97FD3C7C12F07482D1F0F2722915D9A06C54B148EFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.138{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ps_encoded_obfusc.ymlMD5=77A8BE0E05CAA652A1CECC6753B00719,SHA256=3F326B692A50F9A1B6AF559DEBC560F827095E7CE046DFD36D64AE9A2F1D974A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.137{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ps_downloadfile.ymlMD5=6E832FA5957520625D14D5AC2363DFF6,SHA256=DB9893112B4074A6BE543B140399A2F6583F68EFF87B44256D39331FE7B99829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.135{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ps_appdata.ymlMD5=CE3C1B78A58110B4B9A410D2E16612E7,SHA256=9F46AE02A8078F131C6F311CFA689D624031D3447729D3E95ACCED8A94A77B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.134{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_progname.ymlMD5=4DE9209DBE9EF5636FDA8FD7EF9222EA,SHA256=6722B29843501735F8520B18E60AB880CEBA9A2A733A181453BA813BC8759D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.133{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_process_hacker.ymlMD5=3D76794D2C5DFE107E5E3661689372B7,SHA256=3B7681A6756D029C75092238B98C07198EF97840DE024804B4E36B01423E6AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.131{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_procdump_lsass.ymlMD5=D256E00642CF47DA8EDE6B4273BCB69D,SHA256=3EA1AA8A8B0A8B297AABD33D7C1A3C2D66772FD7D4B5AA07868A82B0C0E75A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.130{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_print.ymlMD5=A5E83CB0A9AB46D8FAA82E29B4B57415,SHA256=6ACE014E84EEEBD7D5EA6058618958C72B298B274839D93F198412164BD05455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.129{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_pressynkey_lolbin.ymlMD5=7A08CEF214AB0FF640A4B7F56AC1B2EC,SHA256=4AC8C27C623191E59E944CFA887DC74C50D7B9D101AA6BDA6D2A7A5CCE543FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.125{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_webclient_casing.ymlMD5=911E42442FF416C9780C137E04C2C1B4,SHA256=909BACE7B5567D4D744C898B637FD7909F8D1F139DD18A73DE1CA116A6AA4074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.123{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_sub_processes.ymlMD5=D0FE595DB53A550058D32C4CF7BC04DF,SHA256=D9D04E625F2311338AE2B5D889001512879D2B8856BB5D1E501017E4C0398BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.121{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_script_engine_parent_.ymlMD5=BA37123AC539FEDC97B6F7089B24DBBF,SHA256=F481050060DB552470332C07EC49F963373F3D074AC11F12AC89A875F55A265B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.120{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_sam_access.ymlMD5=81BBDE284AE0E602A2FE8B43C66187D6,SHA256=E959AA6859524700FEA8498028B5B9F86FA8F779A988FD74FFD09703140329AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.119{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_parent_process.ymlMD5=9BB90E4638AACF4D9F77C9075B421035,SHA256=68694ADD78A09650D536CCE357044A4C51F4594280503793EA55CC4445206D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.117{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_obfuscation_via_utf8.ymlMD5=6C1999D0FEBAB4970A505E622E4A29F0,SHA256=E6AEF3FE5CFF37B19B21D41897234E3E4BD792DCBA8C5A0CD94145992AA45BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.116{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_invocation_specific.ymlMD5=A56558C229CEC02642680C145A5BC909,SHA256=76E8FD1C61FF0FAD5B2F17275DF04727ECE5BF0BDB22C0A267C82C823876037A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.115{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_iex_patterns.ymlMD5=BEDE901B06420C3473439E1759610175,SHA256=7BFFB2AA97161384602455C3F160D723B4D2283F4E53763E2EBA7878A233FF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.113{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_hidden_b64_cmd.ymlMD5=304403B936CB960FA0FCBE23A8361E56,SHA256=926F053C255DEE7D6BA2B13781BDE6BBF8F18E27B853802308D2EDB012705184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.111{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_getprocess_lsass.ymlMD5=1BCDFE64AA1D888A6A053604B38E59C8,SHA256=ADA028126E8D2BC898952BD5108F43ECD69367C312FA3AF9C2A283DFB9B9D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.109{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_encoded_cmd_patterns.ymlMD5=18967E1BB6310A36BA84EB45468CC6EA,SHA256=345637A4EE3F675988B2066441A761FC10646AB7EA9251E2E4F248DCD164417E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.108{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_encode.ymlMD5=31C71D46AF6782AD70B4539B57B99882,SHA256=F3A7E3102A885CFA652BF4190892A845918098BA54F2483B756C594566096D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.107{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_empire_uac_bypass.ymlMD5=E72D6C3CBEF56440591AF40F41CF0FB4,SHA256=2B6B9200A68A0571D200E94ACF429D43558CF2681DADC1E79B3CA197E334B456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.105{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_empire_launch.ymlMD5=F90FD2A44D07D780786E2AA46E7EDFCC,SHA256=C18431240517856F662E590C47B47FF317A38AF13B62F8273C47FA4324243A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.104{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_download_iex.ymlMD5=AB1E35B60BA45F2F959CD366CEB10984,SHA256=C748A6C0DC4339493BFD386B58CA0DEAE026F5F7820EB5EDFE2BB5BA344C9468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.103{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_download_cradles.ymlMD5=9083A3E860CB0800895163CA9E693858,SHA256=A9284A174AD5519B6FAB30DF33D5431EA6FE123D89658AB16E521BB0DA0169F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.101{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powershell_base64_encoded_cmd.ymlMD5=8AAFE93CB1B920A84CEB052B2AD14F0C,SHA256=8E97CEAF3F9A1CAB4D24282F458B65E73D83BBDB83AADEA790138314A8923E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.100{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_powercfg.ymlMD5=C8696AFD2D572598CD7458E063AE418E,SHA256=792FC6872C75A246AE5B6797EDF3495F55DCFA391A129132C25C6B0F384FFFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.099{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_plink_usage.ymlMD5=4C9F8580E0E59A4EAA22AC18E7C8FE71,SHA256=9FC0ACFBD92725ADDD82B38B25DD6D14EEADCF032DAC1A6F363A84AFA8D6AE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.096{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_plink_port_forward.ymlMD5=C0C30F0695DAA2A3CD92E8D4E07D7C8D,SHA256=F9FA694BE81FCAA8DEB2272C7AF52AD17B4E032C433B41420752E1960A1B3804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.093{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ping_hex_ip.ymlMD5=D7C30F62E503C57FC7790EA4FE8E1D2A,SHA256=8F57C4361EC29A252C8BB1C3DA894B11936952F4E1FAE0A103C7DA159DB712F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.092{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ping_del.ymlMD5=AB2FFC33354A65DEB2A44F4E4447605B,SHA256=7F0C4ECC343D09DC4CAF3D8B610232CBB6C8C5F01D3C73E0249061CEF5328AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.091{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_pester_parent.ymlMD5=0F418BD42620C4CB46D3EF73DF9297A8,SHA256=E00EAC7166E73879C3852DBD98DEF6373693406CC9D091A6382E7BCE00BC31C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.090{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_pester.ymlMD5=BDAF7B40917C0BAB7E67617E579A6F23,SHA256=5C91B3FD875C5444FFAC42F2FADF452A00BF0B72D13B320846F3C1BE89BC6849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.088{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_pcwutl.ymlMD5=0CC1CD0D2D05EAEE078E8DF789E087D6,SHA256=764D3C72F9DDD69B1743011778F5540F2D6A04E9C07B73D87388CACC0FAF75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.087{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_pchunter.ymlMD5=556DB2EF087105A9796306AA072EDBB8,SHA256=657A511C9ABF09B7ED3A3B06F244024C735645699EDE8DCF24A9653466A08924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.086{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_parents.ymlMD5=CFEC4C6361B9DF0EFC6E09217E3D663D,SHA256=C65294027E10CA5F01C1F01D5644E16EB48D231078A5E45FD38B2992A8E142D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.085{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_parent_of_conhost.ymlMD5=30F96D7A3B2BA30F97AD1D47471C47A5,SHA256=EB02CCE6B4D89FF4FA2FC7AA917B39D92C035B8CAED1E3124EF279B127635E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.083{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_outlook_temp.ymlMD5=3A6CC87B7E0C25AA0C8BCBEF79A8499A,SHA256=D29D7CA925662516746B9E888511A499FD155711600CA6CA9755EE697981F43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.082{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_outlook.ymlMD5=0DF4CE6E1925D1FCC224E295134D93E3,SHA256=3B4C6DB2971E31897A6E3132614DAEAD35C67DD95F43031A71B310931D1DEFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.081{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_openwith.ymlMD5=6A7E6A948993504E68EB99BF9E969AB1,SHA256=AB064DE8B1E24CE52DE945B0FCAC96D7F151E2A3A5BB8497877A7C575CD9B870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.079{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_office_token_search.ymlMD5=2B6E251674E13F503B41835BA4A2C106,SHA256=7597B8158BEFAE9B7AD752B8FA71F86E17666F611DF50E91124BB458F009331A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.077{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_odbcconf.ymlMD5=B400302EB5D6E0B1D6AA480C8C51E4D5,SHA256=EEBFF9288A1AF8ECAA2CC3108A438A3B03EF42F8F8B4DC462AC5D795106C64D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.076{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ntlmrelay.ymlMD5=A7991CAD5FC26B35571D2BA684158E5E,SHA256=C05F8B32DF17488B5F0C066E7D9A744D0F43390DFDCFE6C83F6F91254701393F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.075{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ntdsutil_usage.ymlMD5=9E8D8BF5EA676BA17B76E68E31C8DADD,SHA256=7E1A2F095D3D1F6FE703FFA2684746D84EC95884110D6473B0B981AE8546CC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.073{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ntds.ymlMD5=7AAF5BBD23CA055130EB58E8D6C355BF,SHA256=7E04976A2734230CB0FFE53D599F3CAF8169AEDFE76231FD7A023B324BD07875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.072{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ntdll_type_redirect.ymlMD5=12DBAA716F47FD0CD288E841282725C6,SHA256=C109F6E39E83F3D9FD3A22AF73F04AAC32530A1379E75F543D1FFA69A333A3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.071{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_nt_resource_kit_auditpol_usage.ymlMD5=8EF8A74DCD227604C9AA6009C70025C9,SHA256=4CA86311E6A0F9927FB9BEF673DE07270F888CEBEF902F15810E4A82F123D227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.069{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_non_exe_image.ymlMD5=01E6F421B189C20AB428A0F04312845D,SHA256=44BAB6123B8BE95B4B3FD821F4FD535709E1B9B8282579EDA25F86F64150188F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.068{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_ngrok_pua.ymlMD5=B45398D1DD4AFB31266313818F0FB429,SHA256=3A4DBFDDBB08AF49C1C4454621B75811A472E0C66205C9CA0257885DC37C1540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.066{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_new_service_creation.ymlMD5=5BE943E74EC95965B19A83AD025891CB,SHA256=C493159D40F2B6CBA2D38655A6C0AAC46B3872B04B6E58DD61B82DCC6140C887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.065{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_new_kernel_driver_via_sc.ymlMD5=749E711DE22EEDA2BE656FFFD2004067,SHA256=0F834C9BD99A896D5DF9E1E51E690BE5A06AC883394BED0B71D95143F5E18F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.064{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_network_listing_connections.ymlMD5=B8DF1DFEE1A2FF1B0BCF45DCB0744953,SHA256=21A7485D607DA167CC3D710098075C0A9DC41E9D00E0FEFF4FB36CB0EB889391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.063{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_network_command.ymlMD5=B9893773078AD885E4FE2C1B16C3AAD8,SHA256=A13AF0F70DFD719E5A77300EAAB2808F15AD7F349F19D0A0B97F0FE9CCC7A972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.061{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_netsupport_rat_exec_location.ymlMD5=33B78C9B37BD52C4B9BECDEDD622773C,SHA256=37CCD4198189DC84D06B22D789F33BC5931D7192E235BDBA2C90881202F4AC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.060{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_netsh_firewall_disable.ymlMD5=1AD97ACA5924EB571C2740C3AFB932C7,SHA256=BADCCCA44165E232022C3B7E3EFB1AAA729099612BB30929A2802C347E4E0BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.058{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_netsh_dll_persistence.ymlMD5=42AE38D6FF8CC7DF3AF5BF71BDD70986,SHA256=B8CE28DDBE0F04FE9A95A970B90E9C5D8FE4022FA7F1DA1F036147F6E0A3E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.057{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_netsh_discovery_command.ymlMD5=DCBF6A573A192E085B54E42E76CF691A,SHA256=7B6D7D32CDAE5D91D8117221B7B57C86EE98C0502A6D89E9E048A771202EF98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.056{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_net_use_password_plaintext.ymlMD5=04E430BD3B5BBF73C37A64DECEAAA779,SHA256=AE0FEAEE9A6B3758EA13CD0770F6581266DEA84A9AA59799939F66B0839CE072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.054{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_net_use.ymlMD5=83FEE7981D30D20E3910A9997F15D0BD,SHA256=D0A107685E06416DD26E24F420B2A1BFFE6079503A1ED1882E018142B23FA6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.053{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_net_execution.ymlMD5=3D585CB416F0AF3F485EE3CEE2031416,SHA256=28C01949AB067358A7086A1C0E9BD6F956F00C3841465601239B22A518ED234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.051{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_msoffice.ymlMD5=888393E953979FF06C6265F049AB4012,SHA256=C744EEC1241004F0C58D974CE4A9CD8CC729A8973FAD94DD4D70D4DDD01A144E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.050{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_msiexec_web_install.ymlMD5=1EB76705D778D58417E5818068E0AB96,SHA256=6EB6A2CD1D7E13AD389B29F80434141EFEBA59288F636544BB6EF7CFF6D461CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.048{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_msiexec_cwd.ymlMD5=65CCFE9E8740555F6680943BC7327554,SHA256=0ECC3FF00650EE59D4F740286001FCCFB11226E354E59F54CBDB6118B9C16340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.047{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mshtml_runhtmlapplication.ymlMD5=F05C36601C203C3B3715CD12EC917AB2,SHA256=55191C979728527D9988985B2676D7D37D7E858305EAD215DBA0C609EC31AB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.046{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mshta_pattern.ymlMD5=ABFA30F45744BF09A5AED4FB965BC5C0,SHA256=417EAB320D53A2B19037F3D0673809AFA82607B85ACD243AAA4A1AD622B05B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.044{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mshta_execution.ymlMD5=5764FA9782948959C63C0424A2DA5EC8,SHA256=92F532726591CB1448DAA8C760BFD2F12546E3791EB72D4508BF675F0B60940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.043{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_msbuild.ymlMD5=790483F4A03FE5A0FC099DE17B6A1039,SHA256=F36AA19F4B8BDBE4B6EACBFA5510216E0D926F1BF33804890425ED7DC9E80090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.042{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mpiexec_lolbin.ymlMD5=926B0E27CB72BA5D1975E13977EDFAA9,SHA256=FEA6923A229B2FFA6D0AB0FECCDBCFB3D4D2B84C1F5F0A4C9630F8B17597E803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.040{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mounted_share_deletion.ymlMD5=2847874834F4A869C8198A6846A6221A,SHA256=64FCE74FB2CC631E662D038E8A9C5BEC35D5D20D6907D9F95407B188C3BCA2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.039{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_mofcomp_execution.ymlMD5=2365E9F1F111B1C1CD1E14155DA81C4B,SHA256=8F12EF5A3A4CCFFB02EF2D7BE5997547A21081D2182FB5DD5336905B3440465E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.038{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_missing_spaces.ymlMD5=4826C8287CFDEDACD9B213A14E0C4A8B,SHA256=EDC63A690F02C716EFC62744EA7ED857D76079189B120411B647EC597B4B9907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.036{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_microsoft_onenote_child_process.ymlMD5=00CD1E8C15B5A58FD9876B023C028A28,SHA256=B1EC6129475D4E3EB0EA17353E3BDDF3CEAE3BD2BB403818EED1667036D49413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.035{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_manageengine_pattern.ymlMD5=72CA6D347AD0F9D201165FCA801F62D8,SHA256=4D5E0AFE20851E1C2CD7A91B2265556206AD3F14D08162A2B9B9B0CE53171293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.033{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_machineguid.ymlMD5=1B37DEEE3E430F339F1162C2F004FAFD,SHA256=825BA9A1F4FF0F1111FA4447A718E6FA2F89357A53B7913D7B9AAD02E4448F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.032{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_lsass_clone.ymlMD5=326757A0E778B1009D4BD04A2603D1B5,SHA256=7B83DC214AABE2A3DE0BF0BAF9BBA17A7E1901E801442861C3D4880C85244CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.031{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_lolbin_non_c_drive.ymlMD5=C4A1B6500ABEC681EA22E595195E89B0,SHA256=A25F4CC2676B4CC6A0275CAF30EEE2F0031BDA6D511523B99165CEEFB19D1E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.029{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_logoff.ymlMD5=3D0DA9CA2E7EB916BD06179A536D25A2,SHA256=EF5FD57B21CC80BE68D4FB0D688F0192A37216BB9493FC0A1526A84739018975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.028{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_invoke_webrequest_download.ymlMD5=2D474D21009E0269E6B538EC0E0F8580,SHA256=722CF26740B419E4D673578148BF4972CB0DC39E5A4D86A4D3E5142C76F0A506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.027{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_instalutil.ymlMD5=CEC08956A922932ABF9939688B929595,SHA256=A8930C7420C1AE754A2ACA5579D210F3571E0ACA7F6B3E19153F75EED88CC3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.025{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_image_missing.ymlMD5=4CCC942DD5ACC732D40284519CC685BF,SHA256=BDFABBFA8846A7A97FA6C1B668067F53E5516E56E865356A1D6B5FB85272FCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.024{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_iis_module_registration.ymlMD5=7D8D5373CE85A4DCD660BD1AE18C5019,SHA256=3BA076EC911BA85C1582A1C98E5672CD5D8B85A87D7A555577822F3E1419B46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.022{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_hostname.ymlMD5=242B8673C9AC3515C63043373ED28640,SHA256=D389BB24ECD9498CDB5553667C1A6977C191BB973D0F6807F697B048867031D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.021{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_gup_execution.ymlMD5=8D30222B3C65C14F738E18A009EE345A,SHA256=8CB8A60B083759C6B50165F7FFBD81C94B6DD124B1525B5732DB17C9D328CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.020{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_gup_download.ymlMD5=19460C6C165661535CBCE257B4B03951,SHA256=20479EE0722984F3FD8828CA2325C826BAD3A09097073A4ADBB5CE54B14CEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.019{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_gup.ymlMD5=E00D569D9BCC44192C73A727C42D905C,SHA256=C0DAF659AB6DF24BD796EC2962D11E590A451E13D5AE792352AF41EA74565D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.017{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_guid_task_name.ymlMD5=E38B61B66BE13EBCD80DCB71F7620315,SHA256=9E6A8F81095E3345EB6827BC8C92077BE8FA2457CE070BCEDD0AC30848C6E748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.016{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_gpresult.ymlMD5=0A66C151950A6F6211F4A42297E30378,SHA256=D6EA7D59EFE572D1527958FAF6CE2AF31D01175E79B987953C7F0B3946715FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.014{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_git_clone.ymlMD5=55FDDDF2EC28A83A0095DEBF5C87754A,SHA256=DCB8ED9E9BC6476F5F2A9EA65C2E97AA110203108666FEE8B1A397F8470516B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.013{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_fsutil_usage.ymlMD5=B10306A11B4CD1EE09F049D7FE029B6F,SHA256=96F0C99A15DF62157AE9175BB63A70DA4DFAEDD149821CE609F4843EB710E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.011{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_format.ymlMD5=31E478490D5622ECCC305E35C1D566D4,SHA256=26BC3D93D01D7118A5EA081C16114CB1F1FDA8FEF86652F9C1877DD5A7FEEE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.009{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_finger_usage.ymlMD5=3D7F34B706B7904CFA5F7ED0339E1BFE,SHA256=7B0C9938DDA57B3410D1B0A2118C1AAA53D82992D550F04428B5CE709E134C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.008{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_findstr_lnk.ymlMD5=80B784F1B0817054AF50233C50E34A9E,SHA256=F020E138EACDA5EF7ECCD17CD10164B8F8989F79C492B86FD08C3BEBB97B1703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.007{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_findstr_385201.ymlMD5=474017D71355D341411AA6AB21AF8C0A,SHA256=EE4885B45EDEB7C23BCEF8259844FBFF5E0A6B6B8A6869FB2180CAFF0A56E619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.005{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_file_download_via_gfxdownloadwrapper.ymlMD5=8ED83AF959417127D9CC3487C0319D71,SHA256=838FE50F647F6D2F050215961960818F53D5ABEF296F97D5A59C8EE8580D7829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.004{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_file_characteristics.ymlMD5=8E0FB2F79C441567C5408590449AFBE2,SHA256=2ADFED77676F5FA061F1DC24DB0441BDE55E7CD73379B165389F80D24CCBA23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.003{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_explorer_nouaccheck.ymlMD5=6C25DA76FA0663F73E1DC6205917A87A,SHA256=7B1A913AA5724AE2A89A5DBF99BA7CBC9C772F8B7C93FC5C181D126910803A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.001{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_explorer_break_proctree.ymlMD5=D4A8F45FE86A62DA56E1156774AD3910,SHA256=ECD40D26DD6375F5A2570E5EB2C2FB0A332589A42466EF1A95DFDAFF9E04DADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:36.000{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_explorer.ymlMD5=232A6D1A8FA0D75A892FDBB759B1739C,SHA256=77CFAAB8AA125C76549E3ACA644071B58A70579332DFA4B38F2F105D7B066B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.998{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\registry_set_add_port_monitor.ymlMD5=4F7E51EE52E6E91ACD1EE0CFBDC24829,SHA256=E4672A051BB58ACC568A6363713ECC026C0C13577A4C7D84E385A2023C347244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.996{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\registry_set_add_load_service_in_safe_mode.ymlMD5=6EF5FCD48D5D832722D9B564A73A2E57,SHA256=174A8DAD46E9DBC4E344D79A4A614ABFABF592BD24F622F4010B0E10D537D89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.996{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000261278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.991{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000261277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.988{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000261276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.985{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000261275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.937{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.920{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_set_legalnotice_susp_message.ymlMD5=3108E932C29CB80044C19D08A38D89E6,SHA256=B6D9262F911727D9313032EF8293237C707D6CAD076C84F0D351BB057CE80C23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.918{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.915{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_trust_record_modification.ymlMD5=BB6B29C65A50BF42B1E596CAB0372104,SHA256=22670430EF3EB31B4B9319581167A9A8C0EC8BC4415FFC8AA0564964DA149692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_susp_mic_cam_access.ymlMD5=36BB422E2427143335B4639D3654F433,SHA256=0E4CF443570FA1D3740C718BFBAE628A43182432BC19212C8F8775B585E0DFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.900{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_susp_lsass_dll_load.ymlMD5=29F74AA9A82177C8CDC9A8BADC1322DC,SHA256=C6A0A435EA77508DFDE0FC20A7011EA5BC285555E9E778EB87A4F8C87E99BAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.896{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_susp_download_run_key.ymlMD5=5D5735B0709192EEEF5C3AF0BD0C965F,SHA256=4B6C317EC18906FD244B45676952324409A866EF10D37622F4A78FEEE3503936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.893{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.892{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_susp_atbroker_change.ymlMD5=346B62AB314A03D9F81205F1ADB59D4B,SHA256=8C9FD1815CF63DBDD98DC6A19167FCE3E653C1C4CB2DEBADFA2B5EC440BEEE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.887{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_stickykey_like_backdoor.ymlMD5=C85C1599CFA1325D7918905FFDD2D8F3,SHA256=9233F98CE75A834F62B77A1FB91772C81818EF2F0A6A4869B8B6809BBD00D7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.885{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_ssp_added_lsa_config.ymlMD5=572044DC5EB177DBD2DD9F0B4FA9A548,SHA256=DE851B1D93719E3E71B4C1432A8F9A20723323D0CBFC5A20DEE9C1D05211673D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.884{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.875{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_silentprocessexit_lsass.ymlMD5=11D416AC70109BF528AE9FA9390C9E0A,SHA256=405F987660C5AA43D6B824F12FA2D41555B7DB97B6CFECF8AC391BEF663F835A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.872{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_shell_open_keys_manipulation.ymlMD5=038D91E5559B578774E909A3CE72C3C5,SHA256=E91D63C3CE06A6B48C6B99015B5314F2EA9E3531ED7878B56D814260D1278152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.871{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.870{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_runonce_persistence.ymlMD5=46638A6445C47D1041A23C2AF40D0204,SHA256=2F1BB15F48B889039DA697F6C4F44A3689C56763BBBB354A80CEC72231EC015A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.868{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_runkey_winekey.ymlMD5=B19FBE214E21BF14AB23C9CA79080812,SHA256=72FDAD74C135D81BFFFDD3F7A882C0D1D01A1F1080B4B6845FD1BEBCA62FA987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.862{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_redmimicry_winnti_reg.ymlMD5=CDC70795AB341B9C20706E4DC48FEC6B,SHA256=38A2C964EB768440FA71142B798BE47D3E9D02DA302933E4BE440FCF7E8E1860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.860{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.859{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_portproxy_registry_key.ymlMD5=C392788DB05B3E22A6AF7FA9826AA5E6,SHA256=C728CBE73F176D2F6370E1AC63A309E5BA16B9B1C9272256B0E63AB65282190F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.857{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_persistence_recycle_bin.ymlMD5=D17F084FCB48F5DC0D2507BC3A407CE3,SHA256=EE71C63850321B28A8CB2639932D86D5A1F08F41AB600BCAED3CB5C95594C3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.854{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_office_test_regadd.ymlMD5=2DB3D6918D4190CDBD9D8A84CEE1C851,SHA256=6AB90E37EEE68DE7E713CF5598039667CEA84650502DAB99EC4056797463F259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.852{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_new_dll_added_to_appinit_dlls_registry_key.ymlMD5=F0A9842540D49BFF7738C1FE29D44D48,SHA256=8505EA9C3D5EBB08F66FA6B21205C467B5F41F3E5EE371671C5866B179186E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.850{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_new_dll_added_to_appcertdlls_registry_key.ymlMD5=F20558461C312E9AFFDC409CD2BDDADE,SHA256=A885528031AE609123F0C8C14438BF10A40A7021B8B4B5772279CCB9FD42757B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.848{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.848{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_net_ntlm_downgrade.ymlMD5=EEA2E0993E64126A4F9C1F611CF651FF,SHA256=298FDF59418D9CCF75A54779298336E5E31B8A036EB77B7BB29A8CFA0E0427B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.847{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_narrator_feedback_persistance.ymlMD5=6E534303FA0E0E1FF90F20333CCE04FB,SHA256=2A52A992FF68131720E0754FE4CAEF156EBC9E11F1CB3576FE644C02FA74EB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.845{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_modify_screensaver_binary_path.ymlMD5=1DB918B90C4BB7FDC89E5BEBA8BC215A,SHA256=B482BE6087DB9BD62160954BEC21288AFB8A06E2978F292C63C29C9C3019539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.842{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_mimikatz_printernightmare.ymlMD5=122D91FA69BB91047FC5DB6B9CBD29A9,SHA256=F5348C2AE48D9CB596C93AC15E5EF3DA0D54B5671C32216D1CB2906AF7EFEEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.840{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_mal_flowcloud.ymlMD5=4A429B584D26CBD9ADB5EAB7F8EBE48D,SHA256=6248F6A63139C81497AF3B296796364F7257D3AD8C17F74A8F7ED8131D233207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.839{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_mal_azorult.ymlMD5=C684B65A78B4B07FC88AD5CA45C0FBC0,SHA256=7AB20614A6B1D819EA7995360A9CB34F28CE9EEC4AC742BA96A8E11E19F4067E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.837{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.836{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_hybridconnectionmgr_svc_installation.ymlMD5=38D6154CB981CB7BF86BDDFA57076606,SHA256=D087ED45AC3E4D65209016C7C44FAD451F5E1D0D6A3F83B77291B3D1D9895ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.830{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_hack_wce_reg.ymlMD5=F59A902B2F881075B4DE5BB2192D930B,SHA256=D2D42C24C541FE431C93EE2D136634F2B18268109C4D5216756F27B3BE024E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.827{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.827{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_esentutl_volume_shadow_copy_service_keys.ymlMD5=46DA81F3C56299DB1C5020307DEA701C,SHA256=3DE8F8E5395D7CC0E58E1DF76C4214DBB0BF0BB36CB763684F585943A16D64FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.823{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_disable_wdigest_credential_guard.ymlMD5=9958B2491B45DA9B742D393E3FA54696,SHA256=B9B0AF5BE2FFAB69340DE896B7D1021B320454E0D87F018A44E1C51C7E0E5521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.819{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_disable_security_events_logging_adding_reg_key_minint.ymlMD5=3E7B9DAC62BDF5928BBD737FB45CC137,SHA256=80B43774B0086A9F4D4D429AB5DB39D493AD9BC6A0F909878105A72753E026B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.809{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_cmstp_execution_by_registry.ymlMD5=88DB0AD45634569B280AC9DEBD2A0DCD,SHA256=22E623A6CE934C25EBA3CE5E1A3A17E236812BCDB2E4606D4BE06F377AF3342C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.804{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_bypass_via_wsreset.ymlMD5=E926CB187A611A104605E10E0B865339,SHA256=1F8E94B47645B9E47F233D54FC4B878D494E4AB3C12D204AAAA6967BA267BA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.800{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_apt_pandemic.ymlMD5=C0F8902BF15D37071CF069B0BC2D5E1D,SHA256=4DEA1789B934CEC05E43AAAC527A66F819BBFD75E19F616867AFADCD416E332F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.800{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.798{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_apt_oceanlotus_registry.ymlMD5=627A66F9D3F7180FFE15EE5E7FE3FB06,SHA256=543252F6E3E5FEBE1B85E98CF73028E435497A256869DC9FB8D5FFA2D54143E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.793{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_apt_leviathan.ymlMD5=71A1191691E576383C6CF21C62EF960F,SHA256=E54CC36AFE69077434A7DA8925D131F0C12C9F62359F143F1C2B2A7C96EB466E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.791{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_apt_chafer_mar18.ymlMD5=50F94C82C27C99933E5634D301903DBB,SHA256=D47BA133D0A79D22981CE9BFBD03D6B05D55FDE97D2CB458066C1F642FE7AF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.787{F522A29C-4060-63DA-E700-00000000BB02}58686120C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000261229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.787{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\registry_event_add_local_hidden_user.ymlMD5=F240E825CA4E62E5C86C5498D24CF1E3,SHA256=ADD53B3B34CCD1C1A86B191881420B51D35C8426B5E7454BED85D5867EFD5F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.778{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_removal_sd_value_scheduled_task_hide.ymlMD5=DCF2BFE2AA9D738FE6A4EBAE9C9049E5,SHA256=7E1FFA49CD9A2E1B51BCDDB3F28D35A53AD07E65505EECB5ED248D571A5302FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.775{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_removal_index_value_scheduled_task_hide.ymlMD5=8E5A86328A8F939E78DF146FAB75C7B1,SHA256=8D08E197D111C04B6E1099165273810F9438D6D65BCD7BC17537FDCD9FF770EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.773{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_removal_com_hijacking_registry_key.ymlMD5=DA605484CD477BAEA7A5D0B1599D7CAE,SHA256=05F6235B694B696089977EB2CF0049C14CED9B054A8847A575AE0066FE6C2C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.771{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_removal_amsi_registry_key.ymlMD5=F31B4380687422926026186F17E8F21F,SHA256=58BFA76D285A26DA61EE237E89FE3D8ED41226F8EAF25E495B61876B4CBF20B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.769{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_mstsc_history_cleared.ymlMD5=54A515F293C183FA429074BBAE7B34B7,SHA256=3C54F4417C6103380C87E3360101138B889CB80BFF4C17CE3002B72E1B6CD84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.766{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\registry_delete_exploit_guard_protected_folders.ymlMD5=6660D1C74E75A86165FC72E221C6D17B,SHA256=D95A5BEAEEBE6D17990EF7DF81B56021BD1CB672B6BB2612F0F81D93DE09459C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.763{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_sysinternals_sdelete_registry_keys.ymlMD5=055B1D901D9348115DEA9B3857B02D74,SHA256=DD0C485544DACAAB17443DFFA7163F7697E7617E3A66BCA555376555168401D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.761{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_sysinternals_eula_accepted.ymlMD5=4FA25E13472AC53BF7E43AB252B09D2F,SHA256=27D36DA636660030DC6FC47F68C9CBE40CEDE8A7C812A57C2371D7F56A4FF57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.754{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_susp_sysinternals_eula_accepted.ymlMD5=53571F4887B35DC78EB80E21F0F222D0,SHA256=F00FFABD26B8BE657C82B722CF9D9AC83CEC46B3ADF83BC25C3120FAAB63BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.752{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_renamed_sysinternals_eula_accepted.ymlMD5=F3FB826C5208FE07C108FE172CBD59BB,SHA256=A937543EE91DDA178AD9D65CB351F0A902FA942C58B6348A4565C79B0987A7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.748{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_persistence_key_linking.ymlMD5=7C49D0851BC50AE92B0A7D6CCBB4FFE7,SHA256=1B45DAE2A11CAC9F94658829753A2437C20D6F921943E25F0197B1B37F899D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.745{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_mal_ursnif.ymlMD5=F254E3120E3576C55FE2BF6DF0013044,SHA256=94C1B5978711A09388EB18D453384A27E73FFABBCDF129C99568BBBE4EB52450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.739{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_mal_netwire.ymlMD5=A8552B5A52F2179FE0904D49E63D31BA,SHA256=BB8D4B341CFC27A67BC0D0727C8B199FB49F4B3B432F06F8B50AFF2E812D8884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.733{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_logon_scripts_userinitmprlogonscript_reg.ymlMD5=3EAF35564A03AB5211A98256F412EA8A,SHA256=F3B9B7A1B64981D95FE9378935A84E6DBA887665ED33D00BB61ED1666EAB99A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.727{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_disk_cleanup_handler_new_entry_persistence.ymlMD5=C9EF47CE1AAEA651A6F529924358DFCF,SHA256=73CD41BAD25D5719D5456D3694C6D4CF422BF3023CAA871F63833AC11F0CEC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.722{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\registry_add_amsi_providers_persistence.ymlMD5=8699002A373A805305D802B9BD843FA3,SHA256=A0BD00BB2089313EC45A6DE007A63B6BACD810CCC6749A0D62FE2A7A0F7314EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.707{F522A29C-4060-63DA-E700-00000000BB02}58686080C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C00190) 10341000x8000000000000000261211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.704{F522A29C-4060-63DA-E700-00000000BB02}58686080C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C00190) 23542300x8000000000000000261210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.681{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\raw_access_thread\raw_access_thread_disk_access_using_illegitimate_tools.ymlMD5=831DA6BEF485BC59CA053CE788C424B1,SHA256=6EC44550D941A04107B1760CBD532C51BB8397F1E614030F27A9DACD3B7157F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.679{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_xsl_script_processing.ymlMD5=4B55A1783FB50D62DA243A2BDC14BFD7,SHA256=B6018D677DA71A910A9E27CB53F576093F058388FA7761202808BE4158EE32B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.677{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_xordump.ymlMD5=A14AC283B340DD324E7B4E926434264E,SHA256=90C2092F8B9E27CD534FD6E78D205EAE30FAFE124C3175D53BD8F008C4DFFEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.674{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_x509enrollment.ymlMD5=5635A773DF726042E128D939B0D267E7,SHA256=F1A9565491C48AA962554C55844936528D6103448FC60AD3EB29D18C53B3498D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.672{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.ymlMD5=693130AAC3C0EC97C9256C3A546EC811,SHA256=05613C106AB1D3E1C9ACEE4D35E764B470D648C4131ECF5428569107A0604935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.670{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wusa_susp_cab_extraction.ymlMD5=1FA8ED36ACC417DBA99F5CDB47210500,SHA256=CEB47582772CA5D5671E2E0AAAD7866A675F1793873EDEB6EE55239CE564CA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.669{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wsudo_susp_execution.ymlMD5=FD3488DFA20F15E2046CFE0720100EA4,SHA256=70CEE5102134A9D9E57B4A2ADE072ACDE1EDBE050F20B78A7E2C7C75F213A754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.667{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wsl_child_processes_anomalies.ymlMD5=9AB714C6BEE8F0D8CE8B661CA58F8A60,SHA256=F61D8BF4302BA3DF4A571D311366E4A40A552C4BE3397518F79142D51D0EDA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.665{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wscript_shell_cli.ymlMD5=BD77DD20041414E853D5E3482D3A1038,SHA256=C6856851960E868BE3274897DC2EA8E634668CBCFED38F43868185B05AA62864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.657{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_write_protect_for_storage_disabled.ymlMD5=25E22988030BA16ED66E8CCF8A0CCA93,SHA256=5B41196C6F1F95809F506323B84DCC0CBC773FE7983C2837C7070F7C2A6F5B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.656{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wpbbin_persistence.ymlMD5=B9283B18D8A74AD6527B6AC3F33780C6,SHA256=4278A730AAF1B1F179A800243A83AAF002596475A89D720E0234CEE41C9CCEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.654{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_workflow_compiler.ymlMD5=8301454282EDCE7512457EAC01992116,SHA256=83DBEF6F36298C9F29C2796A40B2FF921B3950C0893A508307E6DCB9337AA752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.651{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmiprvse_susp_child_processes.ymlMD5=C21A5625A84372FD6E65B6009E0324AF,SHA256=98E732B21A0A22C8AEC4E85257A67789D987D60FA474F5B133EFCF13A98295E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.645{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmiprvse_spawns_powershell.ymlMD5=8EEB26AB0EA245818E24629447EF6EBA,SHA256=20E4FF6FF3A7EA6209E471E8850EFFF91C962F69089F80FB7AE5EC3382D1E431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.642{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmiprvse_spawning_process.ymlMD5=98B3DCE985DE0B32CD745A010B56A9CC,SHA256=6300C8FE1CBC13E1D97C07549D9F50DD5E6994A1ED43A331BB579F869F07FB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.640{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_unquoted_service_search.ymlMD5=C8C2FD14351A38FF47BD4CA32A039560,SHA256=5B2E087CDCD7E4C81FE56569ECEE762CC31E640CA88C38B15C0DF6C98C39E8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.636{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_tamper_defender.ymlMD5=02D4A27A797771AB3584B0303F77B075,SHA256=C8F94BF5ED6F7A14C04B70E64171D96616EE0D49772B8FE28D5B26D72E4B514A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.634{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_susp_execution_via_office_process.ymlMD5=C2D85B298642D6ADC242C3FD71747A74,SHA256=515CF69A7AFF06B721D633EDE11DC5FF0C89ED5832500CA081551146DD0C48DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.629{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_service.ymlMD5=EA8BB234A44AEBCA5D08CBFAB6F9E130,SHA256=367E328702C4C4BF1E47A6B2C8F53AD5633521545A4DE73E0F280C233C787B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.627{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_security_product_uninstall.ymlMD5=13C8F7CF68269F186CB6A71F2EEDC828,SHA256=604EBD61AFE0ABDB27311CE713070686DF19E7C169FD90893BB786112165069D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.624{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_remove_application.ymlMD5=ED47E19FA9E827B0DE6A0627112F02DA,SHA256=11326F0207C771777F4C2EE4E7C004174598C9FA036684CAA8AA33C98A9162B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.620{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_remote_service.ymlMD5=768E415C739D172AC97CCCE3929F72FD,SHA256=FAF490A9769567E3F5B16C27C853C30DF31F268988FF503234C88B9B18DD3B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.617{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_remote_command.ymlMD5=CE9AE2B7CD5875E0982A57343496EEE3,SHA256=6E62BB389E2A319AE3E030870D65AE68B89E8576F7B8DB738D50E41FAD28F5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.615{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_reconnaissance.ymlMD5=771ADE675EA620FC470D19123EC351D1,SHA256=A9924931BD84F27AB99294518CD4AAD9C7E6F1A83466CC3BBC872CD074E7DC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.613{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_hotfix_enum.ymlMD5=1570BC2C4CB001298DAC55CE54333B6E,SHA256=C4196A92CB5A2C2FAF025D9497487B77DB4E0C7F035E546F985E25359DD101F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_group_recon.ymlMD5=68312D9B07A5C6AEB061837B41203AA4,SHA256=44F1C2B08C9CAC4526ECE8F2F44EAA8F1AF5251DF7F8F030CD06B4115F849594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.607{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_execution_via_office_process.ymlMD5=9B56DB216D02F7804ACEBF5E4A1C77D9,SHA256=84BF33A11E668C4EAF1049FF9F69CA5845B129EC747B5789230DF59238EA6191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.604{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmic_computersystem_recon.ymlMD5=19337460C89CFE28C5120B63104B059E,SHA256=EFAEDD422408DA220C244EF9843DE9CE63D92903F2A821D0A0B739E3F2AD3972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.603{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wmi_persistence_script_event_consumer.ymlMD5=D011FF64C351584D6348B9F1EFDDFA76,SHA256=385C62E635904C9EE91C59AE874944F924819ECE4DFA69A413DEDF248BD9A6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.598{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_winpeas_tool.ymlMD5=58C31615AC1355CB4C904F6C239626E7,SHA256=6D445CD3C0418B6C88851B724BC0449B5D8F88B69AFF7CCCEDC179F62E2394B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.596{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_windows_terminal_susp_children.ymlMD5=2CA0E19C78FC928B977D1F7B50714A85,SHA256=412EB7E839AB4B0B9B54CD2D341904646E50C8E05F80C5F0444EBF28A003A9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.593{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_whoami_priv.ymlMD5=8CB02F13C50A7BF99067836C19457D3F,SHA256=D3245D438C442E60188B408B3F84D10ED13499E6EE084BC56EE8E5006A827B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.591{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_whoami_as_system.ymlMD5=D431A9C134B7C1877023E68E556415C2,SHA256=1B468AF8695845432BB0A238F134C73F7C60752B5E3EBCF78F26719E143FA2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.583{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_whoami_as_priv_user.ymlMD5=22BDA65F5E8CE75DAE2FD91AE8077F0E,SHA256=B605C1464DD5C17826B05936E70A4A1F94713F2DE82F08D328E9CFCE7542F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.580{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wevtutil_recon.ymlMD5=569A1F1AC46CA9AEE5549C640F5F46B6,SHA256=99EAADFC031F5160093AD6E73296072DAE4E1B0733EBBD7AEE509E80BFF0BEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.578{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webshell_spawn.ymlMD5=A6EACCCFA267E4F8CCB1F7F2E7FEC7DD,SHA256=D66B80713283201F593D322AF38FF4435A533AFF416AF25D4DCC8203FC8831CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.565{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webshell_recon_detection.ymlMD5=59F5D4A85F8AC4CA0B11A7A645765F1F,SHA256=C44A9D9520365D0ACFB8246C406DE08C8A049361FA629A21A9A29BFBABE8C286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.561{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webshell_hacking.ymlMD5=E87897511991A07CAA6D60C93882BE25,SHA256=ED960EFC1EABF614B7DA743C894CDD676C1E29D6D680667C40595501E17A4733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.556{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webshell_detection.ymlMD5=C49D0A95F34F6049BE5AA24D87198AAE,SHA256=E339EB57E0DB818AA15489DE14688289265D89992912043DB85517194641962D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.547{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webshell_chopper.ymlMD5=B0C5A04B6496FA4BF81144DB183AFCE1,SHA256=7B2A79BAE12A0462151535D3298EF48BF23B18F286141A6011FB24D8E52667D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.546{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_webbrowserpassview.ymlMD5=3FA1D27FC0C58A870060763DB4314E0A,SHA256=0F1D4D5658F8D29C6E215EF7FE05D1DCE0CF25B3A007EEDF003619ABBC8B9AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.540{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_web_request_cmd_and_cmdlets.ymlMD5=3A6DEA75635076E2C1CC71F4E5BD599D,SHA256=D322AB1C55C2CCA7DE46B48BED2B7C16AD246D3DCC8830101E3033DAE7F11EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.537{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_weak_or_abused_passwords.ymlMD5=FE71A8E3D24DF5076E27D098524FEC4A,SHA256=F63A55B2E666C13B6FB7955DC55ABD1EEE370851FF21BC779D33D6256104E8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.535{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wab_unusual_parents.ymlMD5=7AE55A32A6F871CA6143773FBF922F32,SHA256=881D207AD729D3233E7F70D08926FA72F0741315BC4E8394BCE4127484280EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.533{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_wab_execution_from_non_default_location.ymlMD5=879143AF16785B26A93B3F9DDBEDF677,SHA256=FBE72819F85C2CFFCEB69487DC2ECC2C0DAD6C6B7DDCCA0C87C60DFBD0B3E39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.529{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_w32tm.ymlMD5=9D6BD2AD35C61D017747BCF9699830D8,SHA256=287617FB2001ADE3812A3628785D66DAEA07A1B514EF223F96D54384D3F23721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.526{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_vul_java_remote_debugging.ymlMD5=6C531A2F651D276C66620F6AC32A3F10,SHA256=39E8F8D2BD966DBAD91878199C278E8FF7CE6AFEC49EDB1F71C227FF8E6A481C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.525{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_vscode_child_processes_anomalies.ymlMD5=155E5241FD493578A4BA30CB5D40C7EF,SHA256=7939684748EF4CA74F448FE2088CC29A4F95EA0DB7446DA549E734A62B9502DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.522{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_vmtoolsd_susp_child_process.ymlMD5=54BEEEF8B2788B4B8E2BAD3A5B69D050,SHA256=9E27DF6B36D96BDEF51D01BDE8E032664CD6913BAB5A4C501B249D57141F33A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.515{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_verclsid_runs_com.ymlMD5=1E7350C4EEAA76732E987E7639CFF83D,SHA256=E7D6F0F6AB4DCB728707FB87C66A2B740440835BDDC91506FD5A63612147177A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.513{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_using_set_service_to_hide_services.ymlMD5=153961CE3EA90DA5874EE195DFB836E4,SHA256=17BD8AC9C63DB5D3824859FB8155664E131814640247A4DD65BC124EC2EC4A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.510{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_using_sc_to_hide_sevices.ymlMD5=8D506430E04F741CC6199887FF0881C4,SHA256=4D0219F149DB7B727CC670731421D037AF1D2032EEB6667FA758116DCAF7A0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.508{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.ymlMD5=3C2A9989EF9248C0521B9825C55B3358,SHA256=953A8536F79DADEA8D5206CCC3C52A3C91F71B6A094C4921D9373D03C97AB87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.504{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_user_discovery_get_aduser.ymlMD5=27868BFFD5146626BFF7500D769FE523,SHA256=7347857A2974E25C601B879AA7D92BC50280D1B3A661D30CAFC3608043CC7B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.502{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_unusual_parent_for_cmd.ymlMD5=4F93831845937775A6C6AE9A72EFFAF3,SHA256=48FF3C7746A1E2FEDD4C9CE3B2F949158A51220EEB156B4E4CA74BF4F1972EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.500{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_unusual_child_process_of_dns_exe.ymlMD5=233EEF450A6F1901615EAD4C713CAD34,SHA256=A358A6B39FF2DA8A49865265C74E02E13AF5A0A4AFA00277CC17A47DE51BF51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.495{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uninstall_sysmon.ymlMD5=544E05CB39CD679C3CF7009DF7E97F30,SHA256=87D89AADEF53CCF5DBEB99BFC2332D3B5FA1928118952FD6894C97D64104AE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.492{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uninstall_crowdstrike_falcon.ymlMD5=5BA3A4703FFAA9389E221AA08979DDB1,SHA256=6C3EA9F289C352608A8288457391CB157B3B7449408182648598BE38B666C09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.482{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ultravnc.ymlMD5=47D8D66A5382D77DE4F3CB2F3D27C9A3,SHA256=8677FA433E61EFBD65DBAF9455F81CF72D2837E3A762F91E9394DBD4EE933467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.478{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_ultraviewer.ymlMD5=062B0C7B95E8EC6A1ABEE179E84F1C31,SHA256=9DE4E29739F0E0F27773DE412D2B008F38ECE505FC73AC17E64790837D3DE4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.476{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_wsreset_integrity_level.ymlMD5=DEFB6AA795BD2A3186210F3509EECCB0,SHA256=F7B729DD4DE90E7ABD61372925128D72EC4047B61E6583C0A1F57BEAE7F68675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.474{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_wsreset.ymlMD5=94C4479247912967002449510C235054,SHA256=74AD83CB1123558202994133218CE9C7723361A6434F6CF2E4E962CE41FA320C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.472{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_wmp.ymlMD5=46275999852CE80408BD48AB936D37D5,SHA256=069E5F5284205CEB3239774AAA8329C8BC58197A87FFA8D7DF3D711D08180789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.470{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_winsat.ymlMD5=0B0DB08F905BA23B1AD4659694F7A628,SHA256=FECBDE1C32107B16CB67C17A12109AD6F9752F858F0194C438D73B7B1B60117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.467{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_pkgmgr_dism.ymlMD5=95C98E693111EDCEF41AC15AB8BDDA7E,SHA256=F4C48053FD79541CAB3F95568BD112E3F7832B43B21D2C523321201B2EE0E878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.465{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_ntfs_reparse_point.ymlMD5=87E44F531DE0561E233E8A9C8122EACE,SHA256=26F18D5D017A37093DD18BDEF7033A47C098F5D17FA693042294912348D63E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.463{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_msconfig_gui.ymlMD5=E5B2F22F198B6D603A8D6D48086AB422,SHA256=4CCF8CE006A00267B5853B01A4F960707B2134CB597EB61EBD90484C898C3627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.461{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_ieinstal.ymlMD5=77370869CD9EB3601A9C6870F4D02A39,SHA256=0DA49B4376AAF7A46E6938467F4D4B02660C460E89FEF7747D3EA338FB72B7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.460{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_idiagnostic_profile.ymlMD5=5306A95AC56344CC97CC7502765E98DA,SHA256=1222E3B6E0D9C7F7C24AC1599E74A1382876BDD0FD1CD11FACC65F5CC560859B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.454{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_icmluautil.ymlMD5=CC7400CFA313B3263A166828A00185C0,SHA256=0A0845C41E9897B3AC004FD01E0934B6E97FE0EACDE41E5ACE389CDFEC1F1A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.453{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_hijacking_firwall_snap_in.ymlMD5=1AC01C06332BE6D3205DC3892D7971B8,SHA256=33E780A0221D8BABD31B795BFD74267DD6BC3F9B6C3C18E055F5DD4D2B4C9E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.451{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_fodhelper.ymlMD5=AE8987591BBAF7DBF4E472203C43D385,SHA256=A49EBB5E6B2FDC75A133F728AB52E8845B7CEF7F9AF70676DD905DF43DBC27CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.449{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_eventvwr.ymlMD5=5A3731C2B6CE0488AF30868942177539,SHA256=E9E73B57873B9A163780DC61DB182ED93D6F6E56E6A09DD0DF0EBBE225124B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.445{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_dismhost.ymlMD5=4941938A02E8D5119BB7AD36F9EE352D,SHA256=B94803484FF2754855DE4F9B95585090008288EDAD72A7E835967B4C4D106FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.443{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_consent_comctl32.ymlMD5=9F142A9C78B617C819A8702ED0587CB0,SHA256=D066B1C791D3A5E241A0379D5496038F4E1D552B7B5912D85424FD029258BCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.441{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_cmstp.ymlMD5=994C63FD2794947072B3ECCD6776CE20,SHA256=0E17591C00D51C041F7D8BE33A7B3F61632BB01FA7233C66CFFB924F905777D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.439{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_cleanmgr.ymlMD5=1466E048CE62874853296E73649317F5,SHA256=0C3F15C0FD8449D59A6075081672524DB0BA495CBDC0729634363517F0A9E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.438{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_uac_bypass_changepk_slui.ymlMD5=DE5E59D1B92A5285CEE4836DF3CCA28D,SHA256=65C3C1B1BF205DA85602C0CDD99900C7B3BE5FF76672A92832B1107ACFEC6A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.433{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_turn_on_dev_features.ymlMD5=316314FD0FA8EF628785A908C5162DD7,SHA256=28C5BD565567B5D61F45EA33CF3D9A00AD06717BA20B2EEFE470A6ECE7B98830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.426{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_trust_discovery.ymlMD5=62CA6069C0DCDC26249F512C472D387E,SHA256=39E8C02B5F9559659B4F4BDA4F94C7237253B04BFEF1E55A39EC05C047ACD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.415{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_trufflesnout.ymlMD5=7BB7DB839AABEA86F8C4B11C83FF0F7D,SHA256=2A301E2ECB65330F0E00E341AE0B6C7E9523F3B64E4C161FC6447C9CEDCD1244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.413{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tor_browser.ymlMD5=4220B33EEE272D683D6BD33316DDED56,SHA256=C899409BC0B40B5502D7F7196FB74A33BB49F6E4A0A9B09F36FAC8525FEE596E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.409{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tools_uac_bypass_computerdefaults.ymlMD5=63975EFEE92B37BA89F124DEBE282FAB,SHA256=E69DB726634C93887447AAEDE7759CE35068F36AA6F82C80DE01E797707BD407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.407{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tools_relay_attacks.ymlMD5=E6BD0C6B816660C8C062F34236E2ED28,SHA256=342DBB4EF12A3F96EB10B75A85E9EDEE5A517A870A1CC13CD4FBEF594F423B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.405{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tool_runx_as_system.ymlMD5=775D4F9E452D8100CB5EA55973F18AAE,SHA256=E63BCD8231B4A6CA0CF4517957CAAF6D850410566489D4CD6288437FA8B438AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.403{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tool_psexec.ymlMD5=2EEF7B9EE1CFA3BC5E4B177111172E1B,SHA256=49F90631E42D5096C4DE26E770F4BB8B4BBC6E12CEE5B9833FD549DABBF02B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.402{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tool_nsudo_execution.ymlMD5=10846989B55D7C3419723F46B67BAA65,SHA256=3C0418204119FCBE99B0AB5FFA5312ABBD7540A9588B1B7D42B9325C5BB7CB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.400{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tool_nircmd_as_system.ymlMD5=ED1C124C5A94E2A298E15F897696BC68,SHA256=20867C993963B19D5A0042569CD59CBA2E9A86C37D35821794AFB8AD754575BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.398{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tool_nircmd.ymlMD5=6D2FE3B941FE12B92B4463A9824FB0AE,SHA256=105B92517C228B6B4AAA50DDC1D4962A2E109B7917DBECFFEA9F19FF18F20864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.396{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_termserv_proc_spawn.ymlMD5=9F06947DA600A1628BD45883624374E8,SHA256=65EF56201298A5A4A70F1A1062497AF6E54E007C8DB7474FC2C4A1BD309128A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.383{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_teams_suspicious_command_line_cred_access.ymlMD5=3BECC014938E4B56ACA4A1FF17B153AD,SHA256=D9098B0F3FF35E3B175CA0F5ADBA72FA4D458389B03EFF118ED968C1B11473E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.378{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_taskkill_sep.ymlMD5=FC940B268C734F9D35422F0A5ACD43EC,SHA256=D930A5A03EB020042E61E0BECEA927FD3E0E5AA391B4E706BA5D434A7E306BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.376{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_task_folder_evasion.ymlMD5=E641B63EF564C6F6EEE815A3C24CF08E,SHA256=41723FB7AEAB42619F2EF355A4EB9D0BB75A2F4C74484D4407DF6F22212FCF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.369{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tap_installer_execution.ymlMD5=264A2A43117D2C6BFE864F794FA711B5,SHA256=6A4C2BB75C72E72F20642CD94FCC05FD26E8ECDEE049D1DDBD6B2C23AB48F65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.363{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_tamper_defender_remove_mppreference.ymlMD5=BCD4F7EF9A4A1F486914CE183FADCEF6,SHA256=3D1AFD386633957F2B89365CE945A7840789129FBB966F83FB86F9E13A644CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:34.161{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000261114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.361{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_system_exe_anomaly.ymlMD5=3FE6B1FE54D0F9685C4961E367459431,SHA256=21381334FAAD67E127D19C99A371D0BD00B556B58CC7247E32B93B02A04453F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.349{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysnative.ymlMD5=B2DA8FB8B62247A8DD16A681DE9B564C,SHA256=DED73E51C9BBF45D98ED7B7B3AEF23CCE4CB7750E68BF907C71BC996AF4B00FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.349{F522A29C-3E0A-63DA-0B00-00000000BB02}6601688C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000261111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.349{F522A29C-3E0C-63DA-1600-00000000BB02}1292NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\security\audit\audit.csvMD5=6FA86A09DD9C4959890DE3B69C4CD81C,SHA256=3B503B64EF5ECC4749AFC915CE7AB178BD9BE70159A6EC8C4CA28704FF55532B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.347{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysmon_uac_bypass_eventvwr.ymlMD5=0676A978370C457D06662DFEA0D489C6,SHA256=D503403DD01F4B441EFA67E75DC1F29FE12DE77971E8061F77AE0C1731489144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.330{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysmon_exploitation.ymlMD5=39E13D7FE0528D077B5C890DF23D1B0D,SHA256=7C5B09D1993BB3C10495EA1C5D13422BFFD63FFF2811AB33BA2403EB25E7A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.327{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysmon_driver_unload.ymlMD5=2CEDBB4B246A01C80D788DB7939F22C5,SHA256=7918C5CF0F0AD588D5BA09F045661D996837CE706BCBD7674F29496EE4EF8527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.325{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysmon_disable_sharpevtmute.ymlMD5=C957BF5E99F1FF4CD77290829316CF81,SHA256=10EEC489A335639F9C7ACE89B0D895CE65D01F5E916C2D10426301748E6B9D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.321{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysinternals_psservice.ymlMD5=C85ECE75AF55EFEBDF1A7AB4E44A1F1A,SHA256=C778988F3208B1AB24FBBD3303732BCFE45E0BCAE1D99563609586A0651783A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.317{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_sysinternals_eula_accepted.ymlMD5=92E30ECCFF2BE735E3314DF051EFF1BB,SHA256=B5B9F337861D40441784B727F64828674E97D70F733F20FA0D43DE52F3E1417B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.317{F522A29C-3E0A-63DA-0B00-00000000BB02}6601688C:\Windows\system32\lsass.exe{F522A29C-3E05-63DA-0100-00000000BB02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000261103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.315{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_zipexec.ymlMD5=22F861B64EC9D54BDFD554A92263A5A6,SHA256=D0D499E3F6BC362A6A5BE5A0F12A7AF274F220FFDED46F2D90674A43EF0112A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.313{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_zip_compress.ymlMD5=D8D5743360A451D77C513FF2F94AF1FD,SHA256=3D6D8662697B1CC42AD59431F8AB640F719317D7C6C1962A61654B319A217507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.308{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wuauclt_cmdline.ymlMD5=80B251D0F104E57714A31AC0AA024865,SHA256=5F7E939E7192606AA3E55DBC105201DBA27B8375CE7189F4BBA03A4371CE948D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.307{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wuauclt.ymlMD5=7EDE628D14D872E50122D9F433BFECD5,SHA256=841EC5380858E8DFEBA804AC48F0A28BD1821BE1D4C68CC566FF4D1A1901224C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.305{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_workfolders.ymlMD5=398065AF87D7812DB9A5AF5FBCD1BE55,SHA256=DCA4118F3F424DF301FF7C66A6989B2E0363BC2E2024751B4C319F86D63C759A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.304{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wmic_proc_create.ymlMD5=8A8D740BEB3C67D3A0D2D505098A9E71,SHA256=5C378FED718482218AB5107704A09939B123C28E8FADB46CA839A9B5AA524B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.302{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wmic_execution.ymlMD5=157CDED64152E08FB0F7D4C11E46749E,SHA256=C2DE78CC90DB3E47C4C2FE858F995E4AF8B36F9FDC28298FC54A6BCC109FB0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.300{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wmic_eventconsumer_create.ymlMD5=B5688FA2EC997646B6615FF1B078FBA3,SHA256=0E0CC893DF56FC6AE8C824B4D97A59C4AE6EC1556392E233F79592CFEF13B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.299{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_winzip.ymlMD5=BCDCD78D22E8C1C0C4759BF69AE03E90,SHA256=0FA26CA6E81CCFACB561BDC939DB3083389106A89380E6494E206D44BAE08A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.297{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_winrm_execution.ymlMD5=B3618BC8A34E597FEC1C8D1EE4320C6A,SHA256=816B9C5995FB0DCD6B85EE986D7C1452038D2627AA24D977DA44FB460548F9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.296{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_winrm_awl_bypass.ymlMD5=8F0FC6D3D22D8C320190BFA6E012E53F,SHA256=960D46802CD07FCBD62E1B896E8DF8D1E0F8ADBEFFC6E371F58F80A70D623276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.294{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_winrar_execution.ymlMD5=C2733B160A3CCDC030DE0792BADBD8AC,SHA256=7973AB0AA16C4A235415444FBC8D98B5A796F631767E9E4CFC17AA47D217A0C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.292{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_winrar_dmp.ymlMD5=AC25C6E8E8218353A1AF8E8F05379400,SHA256=40955545CF9CFC5362064C8885B451C3CE1297CAF358A8E7DB7E33752C0879F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.291{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_win_server_undocumented_rce.ymlMD5=F988EE6243011CDAC27CAD08C407D2F8,SHA256=630D4C5E08E035D627BD47F485A8670C0F4ECE28C9F2FDD1E5838BA7379065E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.289{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_whoami_as_param.ymlMD5=89D8BFC4B3D3E44BFB01A7395360B98B,SHA256=0DE4C502C1F3F37F8224AE8B01B735683A153A5D8E88B10731E3BB5E94C78D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.288{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_whoami_anomaly.ymlMD5=98F7510B8D8B2D1BB91734D881FC38FC,SHA256=567EE331C76E8059A2BF8A6C1C76E68BBC9D82A8F23093DC6E440FE1E6F882AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.286{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_whoami.ymlMD5=68F326D8FC2B7D0556B7DF585EAE70C2,SHA256=4AF29487F58C89BA3FAE42FA1179077BE6C77B32BE6234ACC5923A7161818F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.284{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_where_execution.ymlMD5=1A7B9BCB8BE134A4D651BD9CD6CE7FEF,SHA256=8BC4E756469F6FC9CA61E2D221E88528C2040B58CAA7933814CD515F051893ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.283{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_wermgr.ymlMD5=50C4ED8E52037ADFE10F68702DDD85BE,SHA256=DA7E503D0F2A2DFD5D2AADDEF271C45F79DBE3EDCB2D7899ADA566FDDFDC5067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.281{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_webdav_client_execution.ymlMD5=B3941B4832ABCD253379C1DDC3B4A7DA,SHA256=786CB7F3837D0F79485450F27ACFBF1B287234C3BE69200468BAE022B4A34EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.279{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_web_sysaidserver.ymlMD5=0D25E9A7020A4017BE4E26691112C989,SHA256=D471A9BD2F2926B526EB1CD86BE5A2A824495F834072D2C125B1A16CA61C9593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.278{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_vslsagent_agentextensionpath_load.ymlMD5=81CB8BB4EB51A1279F5C7AB1B54AA10B,SHA256=94BDDFC822952F57F15AE0BEE1B9F54A20C3E2913F803292EC01AF0EA3C87A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.276{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_volsnap_disable.ymlMD5=3728793FA5A7DF5B04699884FE937CC4,SHA256=553C95C9AE1590597115E85E75DDDE68F8D844215B620E16E8CC294C00990573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.274{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_vbscript_unc2452.ymlMD5=B9D0D1F43411B863EA86316B56EBED2D,SHA256=FCD40973D0A6B69C9BA5DA09096C99F4B4A930B6C7A2A1D5EA5FC15F9D74F682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.273{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_vboxdrvinst.ymlMD5=AB6CEB40757EFAFEAF11B0BC227D1B22,SHA256=ABCC90AAC64734D82778B2D1C1712FE503882B02D09179F4156D568357D625BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.271{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_vaultcmd.ymlMD5=C6C9B218436D4DBA3C014A27F96452FC,SHA256=0C33EC6B460FE3F9A32DC8C199632CF9921525DD97943850F1E0D8B12AB91CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.269{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_userinit_child.ymlMD5=F578D4F9A90FB69E1D0619693BE04803,SHA256=0DEFBBF79C3C84D126B8603AC4E7F08A92C079C82E14C4E72E93CB06656554F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.266{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_use_of_vsjitdebugger_bin.ymlMD5=6C655B66CFF219B109F7C9EE714F8E55,SHA256=17B9899F312EF102A38F06D7578ADB2D3B90DCFFF429E12473A7B65E5560868B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.263{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_use_of_te_bin.ymlMD5=CEE3171CAA3754908059FEA696EEBF26,SHA256=BB7041DAFE499B9309BDE773C9E4059484E39AE6CB1AD725AD16EE006EBBB88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.261{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_use_of_sqltoolsps_bin.ymlMD5=6632CCAAB3313015BF5868E734A593E9,SHA256=E2BD5ACAA4A25F0C3C3C4797972455D6144C0FE195660FDEE608E7FFC65F3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.257{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_use_of_sqlps_bin.ymlMD5=CED1BA2C7F6790FA1CA06A48983F202D,SHA256=FB45B999C72425C5585815261EF1CEF3D52E5F3FF30D87286B212E0A95268258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.256{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_use_of_csharp_console.ymlMD5=1592CF8C76E37C5FF45D8D15BC995415,SHA256=BCD9747E274D38F2AA0B1329C456B7B43FB4DF0CB0D0C09BF936A290F0705521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.252{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_uac_bypass_trustedpath.ymlMD5=2AF8AFEBBFA237D85E2E9AD398A42464,SHA256=FE4C34DE1AC51B8E02F4936AF7840D2A3ED57376541F3BD7EC19792850D96724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.251{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_tscon_rdp_redirect.ymlMD5=6D640549EDB2F6B7F1852878C5F3EEAF,SHA256=DF119709A3C5495F43EFB059B23FD3FC3C8CD011D92C2EF8B2890A8D14961150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.250{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_tscon_localsystem.ymlMD5=5FDEC5509EC538011FC8349A5BDCDE32,SHA256=1445B29CB7A91D4FA035A2634D35F351F8CB9B21C26270182E986D87429010CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.248{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_trolleyexpress_procdump.ymlMD5=524C4D43DED9DC7A599E938C7D9EDA96,SHA256=B367160AE053C063ECBAE61AC0AEE3FE7D1339F3E9B0073F5A0534F67B7B16EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.247{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_taskmgr_parent.ymlMD5=FCD39A9BBA5A1DF8EE69AFA3DC42785E,SHA256=2FEE6A295F8B8A1A964C69C149BA00887DE8FB8A24A3031EE0A8AED68AD73B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.246{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_taskmgr_localsystem.ymlMD5=51E2655C00C1996846675E3F3330507F,SHA256=2F0FA15E73CE8D8AA16127FF92FE4D02924DC5C99C616BEA1E3F769E44BFBE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.244{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_tasklist_command.ymlMD5=F4FEA13F32186BE5CBDEE7A6AB939FD6,SHA256=F2BBE91DD116AE414670BE0217C6EFE9837C930D192564E9DEC0C53837507C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.243{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_taskkill.ymlMD5=318B69F20FF2B07CD006F139844393D8,SHA256=976FEB031198AF18E74714C34C220EF4F91965D24BBC1A6A7B009DFE55BC2C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.242{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_target_location_shell32.ymlMD5=9836FA92A047CA7B2C8E45AEA015DB27,SHA256=037125F092718F1213426C362DC60FEBF6A76CE2CE007A28DD6E3A93A1E36C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.240{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_takeown.ymlMD5=8D82387DA5E27A1693D8D6DECCB9FD38,SHA256=3939DCDCB91E497D8069C3DABBA18B0A4F6401F1D38FF3F397DCA58C3198AC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.239{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_sysvol_access.ymlMD5=B6BF87A8134AB988D0F486DB1E2B9A57,SHA256=E76DD0F9624F03928BADC66DEDE70D7762A0012213B68F8A7A4A62A85619563A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.237{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_systeminfo.ymlMD5=4CD47631AA4B0003E5A0E493D94020F4,SHA256=30C609B54EFF5633F841AC5862A79406FF6BCB9BA389961EDD5FB546EB88A4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.236{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_system_user_anomaly.ymlMD5=F2E180B6D0C735EDB7BD5ADF4DDFB0D7,SHA256=D5A34C78DC5EB1D3593E05FE8A3D5D2C8F0829CB60AC7980114DE0FB808D6B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.234{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_sysprep_appdata.ymlMD5=BDF7F4B4973A8084264213AFD7BA5937,SHA256=6C5D3D87AD2043B5D2C5EEC5BEA7F392F8B6923D2CB7768573FCA55A93BC5A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.233{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_svchost_no_cli.ymlMD5=D83E7B4A96A5FF7011EDD554D02AF421,SHA256=9B8165E45CCD817D8F5C35A0FF993027D99C335068D30DDA3BDFC9B655F664FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.232{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_svchost.ymlMD5=0A6BA1AA8C2381D814BD3FE351566EBB,SHA256=361767334551A2038D500913BCED2C3442CDD7B53861B74A5860A9C87DFD5EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.231{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_squirrel_lolbin.ymlMD5=BBF294DDAA6E12877106E4640BA3CAE9,SHA256=B0EA8C83FB853488F7C9BA2C2EE85086783950D254B61EB6C95BD897A5B04C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.229{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_spoolsv_child_processes.ymlMD5=2034EA2F143442DB0E3B35FF0016FD1E,SHA256=A2979E28B9C079B3DB03FC0DA4A0F07143419898345C3D80196B9E95D3F0B936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.228{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_splwow64.ymlMD5=5666235B0CEF236E19831099234DC745,SHA256=C334CEDBA71E477E2B4129EDEEC4B8BFC83B41C5D6044E04738CFCE1284E9D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.226{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shutdown.ymlMD5=769483257C0A6F1EE38400F2C6A0CE41,SHA256=3B703F1C760C7E0FD08DC81B792E32213C9F1F19AFD7B44F26B0A7FF573282EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.225{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shimcache_flush.ymlMD5=AC45295952C53921F95715DF0E59DB38,SHA256=6968759D00FEDDE75EB425CB62518B2984CCBB815F75AB9B6E3160B5341302A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.224{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shellexec_rundll_usage.ymlMD5=82F2A17E8414AA4E811BB45C8D550A16,SHA256=1D3FF879C93F8B094A9A22E7E9569397AFF02661C874080FFDF04749FB42EBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.222{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shell_spawn_from_winrm.ymlMD5=8894CE87BB26B85CB5837E0FC2E7D0D5,SHA256=84607D8D3D3B56A8EC2D7BE23EF68E5532D24CA6A78AEBA8736B21BBCE5AF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.221{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shell_spawn_from_mssql.ymlMD5=2418FE9AEFE33701DB29D9EA43156BC6,SHA256=310C0C3892511E439CB635E103FE6094E3342518863FD40F4036210369FAD526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.219{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shell_spawn_by_java_keytool.ymlMD5=ED4B0EC0C78E4E339D8FF52F835E3CA1,SHA256=BDD6F3965FE0B1BCFC4041D232433F1756F89E9D7FD504F186985E63389ADBA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.218{F522A29C-3E0A-63DA-0B00-00000000BB02}6601688C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000261045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.218{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_shell_spawn_by_java.ymlMD5=B9E972B4DD81E40A4B97A654ADA62378,SHA256=1C3C05A74ADD38043434D19EB93B27CE64EB1788E720681F3F0B333BA2A03A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.216{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_sharpview.ymlMD5=2753EC78581892405F19470A096C8BCC,SHA256=09D59BA77A4EBAF33232D758086691BA7A256AEEEBBFD54C7EF605F4BA5B5194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.215{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_servu_process_pattern.ymlMD5=540C5594B32D3F13352554C0AB75F85B,SHA256=0FB9AAFF777F933CF642F61C21F2D65BD7E02377AC9AF86D8F09B0F6B343BE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.213{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_servu_exploitation_cve_2021_35211.ymlMD5=F8B5AE51C01D177144F0948DCE340D9A,SHA256=3F372887D569C5EF6E9FA6E7343B6DC249B6B699A9B05BF1916B555D146126FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.212{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_stop.ymlMD5=C3F45E142AF4F65EA99563D9CB3B4084,SHA256=C67EA3E6C4E8190EEA6103BB6EB3DE42535CF3A3550A6BFD9C67C199D1D8D432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.210{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_path_modification.ymlMD5=D090837627E7E67CFF10AE47B4CD9C8A,SHA256=495FEE89663BC27390FC4594CA7732AC35A50447BF12EFFECBEA7893AA6F172C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.206{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\proc_creation_win_susp_service_modification.ymlMD5=DEB0BB1E8342C58BB0F6E7E9C9E58418,SHA256=EDC389ED17FD8B14B94D44F137E1DCD8B1759C7121924C1B0E07C5FE88320902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:37.206{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.404{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.402{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.400{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.397{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.396{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.394{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.394{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.392{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.391{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.388{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.372{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.368{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.361{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.344{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.342{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.319{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.312{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.305{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.298{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.293{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.287{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.282{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.271{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.265{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.258{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.252{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 10341000x8000000000000000111445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.249{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762852C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135003D0) 23542300x8000000000000000111444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:53:37.083{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF6F3D639B626319A95E84B74CB7AAC,SHA256=B83469EAC506C0C41392CBAF4978266790ABDFF9B01400FB87A9301739788E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.974{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.muiMD5=1D85D1732A26F63DB4522D53C5074EB1,SHA256=9E1D7EA767D8213ED3EDDC4B395B56EFC89819EF884B61A100A1E325CCD08A61,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.972{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.muiMD5=2E6910D070EB5A490115C70CA1B55453,SHA256=4DBFBA6B49EA383A236B462AF04CA3E948DF2C001BC60CF8D4B0C13E85A89D78,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.970{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.muiMD5=726DC8B48E571836001D46951E4479E0,SHA256=D630A922F4F0184E0D28F25782CA61710C5F244DB2449C86FA3BABF0CB2E4E94,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.966{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.muiMD5=9419DE3D4F5AB633D82DC50526FFBE33,SHA256=2E117D29FF0B998E86035462BF603DEF63FF195C82A68C75B23A28DF677B2F0A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.965{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.muiMD5=790A2B2D0C2DC4B49A9BF64B1E691D64,SHA256=321CCF9593F319AB4210B4F6837D518E6DDCBA9D94842DB16639429817974A78,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.962{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\adcvbs.incMD5=BCBABFDCD7D9AC0BE54FAC753014C2A2,SHA256=2AA353DB7A740DD198494903CC1A7B4E3FC49B9F44D5B541CC1ECC51642EA036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.961{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\msadc\adcjavas.incMD5=8B9319B9C5043CF0EFE0AF3483DC069B,SHA256=E0C7D34F7579244762AE5A371ED551A2281E77DE09FF0B1B22CD1B1982D77688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.956{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\en-US\wab32res.dll.muiMD5=CC37778BE4A82064A45F8F75880EBE94,SHA256=3244E8B56E47C542B6FC03D5F6BEDBF7111548AA0391FAD320E6A9D399862E4F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.953{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msadrh15.dllMD5=CD49A16334D0889B6FC3CD88D153AA3D,SHA256=A276BBE95EB49930E261B6AFF6360644ABC2A8CBCE04CECAB822006BBEFBFC30,IMPHASH=EC483921D797F942E849AB0C17EEBAE0truetrue 11241100x8000000000000000261508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.953{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\CD49A16334D0889B6FC3CD88D153AA3DA276BBE95EB49930E261B6AFF6360644ABC2A8CBCE04CECAB822006BBEFBFC30EC483921D797F942E849AB0C17EEBAE0.dll2023-02-01 10:53:38.951 23542300x8000000000000000261507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.949{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msadox28.tlbMD5=2B2544191B2A3142FE448D12189D3494,SHA256=81708B9EAF6B5BDE20DF087C6D314055CCC2AEC36369835F276B6EEEA9024401,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.945{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msadox.dllMD5=2C900FF02AD82EFAC844479AE418CDBA,SHA256=CA7FD433ADE5FDF0B6ABD8A94BCB59BA02D751D0024259A2BC8CA28B78CE0E2C,IMPHASH=5E00D17EC07AB4CFCB144EC073C81CC8truetrue 11241100x8000000000000000261505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.944{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2C900FF02AD82EFAC844479AE418CDBACA7FD433ADE5FDF0B6ABD8A94BCB59BA02D751D0024259A2BC8CA28B78CE0E2C5E00D17EC07AB4CFCB144EC073C81CC8.dll2023-02-01 10:53:38.944 23542300x8000000000000000261504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.937{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msador28.tlbMD5=39BA956F7AB249259EC7E41AD03BDF60,SHA256=B86E4AE42398D81F1CC17B3E899BD00E66F0343F36B148D2B8348FBE02D42ECF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.933{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msador15.dllMD5=BAFA09D9DFE015FBC5107B01DCBD37F5,SHA256=ADC7AF8A3EE83070B19059DC96D9F8F0813EDD02EB374D9C55F8DA14123A691C,IMPHASH=6BC3DFA5E076E14B25CD449DB6740158truetrue 11241100x8000000000000000261502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.933{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\BAFA09D9DFE015FBC5107B01DCBD37F5ADC7AF8A3EE83070B19059DC96D9F8F0813EDD02EB374D9C55F8DA14123A691C6BC3DFA5E076E14B25CD449DB6740158.dll2023-02-01 10:53:38.933 23542300x8000000000000000261501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.929{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msadomd28.tlbMD5=DA56FE9C11AD5CBE74C9D44EDE810537,SHA256=278594C532159C854A12C6C71D7EFE8DF8C7AA1AE32C08CA4AC842B3957BBBF6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.926{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msadomd.dllMD5=E35761D39E39E9E2190CA165D582215E,SHA256=BD34711B2C85E301F08B9D6411E47D728043E52CEBF45C1612AA72B34B92D695,IMPHASH=0102AF0AAD785A59D15A7B10B983F21Btruetrue 11241100x8000000000000000261499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.926{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\E35761D39E39E9E2190CA165D582215EBD34711B2C85E301F08B9D6411E47D728043E52CEBF45C1612AA72B34B92D6950102AF0AAD785A59D15A7B10B983F21B.dll2023-02-01 10:53:38.926 23542300x8000000000000000261498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.922{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado60.tlbMD5=8497E54347E481E1493D16D650044B2A,SHA256=A0727BCBDB9C671CB10A0BEA081D4FCE9BD944364F15449008BA8146814EDA09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.919{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado28.tlbMD5=7BE5E777A6CDC9B49729B4C7BD7B59CF,SHA256=A3F816F90939294161508C849C274DA7CB96F89FB1AB3E17598B146AF5B1D9C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.915{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado26.tlbMD5=FC72483615169542ECEA3C9177AD6D6E,SHA256=4ACDA7C2AB2555183A54801CA3B564E1C79E0A4670C9DC735127EEE326EF60AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.912{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado25.tlbMD5=C5EADB3429BB5353BC325520089AAE26,SHA256=8DF8DC761442FA4049A4779E4EF8E5FAF2CF11E1A149FD06968D10017B6BAF20,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.909{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado21.tlbMD5=119457A4FD29710A81AFCF2BC0531F15,SHA256=836F93C4EA921226C63B32A84E4E67E0AC7293D2125F27F7535EFE762126FF1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.894{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado20.tlbMD5=D6194BD87DFA05F98F2408718F86F265,SHA256=44E57F656566C3565D1BE37690A79F3E3A8C07D775A6FFC770E56C5A56A5EE0F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.830{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msado15.dllMD5=866C30554D370F1DA90E749EA1DA679F,SHA256=FC88E800B40DFFC87E04B3A345D143F9C92274706429101E2F23F8656E6D0A55,IMPHASH=5587D5EB722BBF9C5154B60CCF227B0Atruetrue 11241100x8000000000000000261491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.829{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\866C30554D370F1DA90E749EA1DA679FFC88E800B40DFFC87E04B3A345D143F9C92274706429101E2F23F8656E6D0A555587D5EB722BBF9C5154B60CCF227B0A.dll2023-02-01 10:53:38.829 23542300x8000000000000000261490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.727{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\msader15.dllMD5=FEACC9EB876EC7702BABB4FC2A67A024,SHA256=B51C13AB10FB1679A81352F08A85806779F10E3C912FB791DC8540A3E21FE4DF,IMPHASH=00000000000000000000000000000000truetrue 11241100x8000000000000000261489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.727{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\FEACC9EB876EC7702BABB4FC2A67A024B51C13AB10FB1679A81352F08A85806779F10E3C912FB791DC8540A3E21FE4DF00000000000000000000000000000000.dll2023-02-01 10:53:38.726 23542300x8000000000000000261488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.725{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\en-US\msader15.dll.muiMD5=7050BD64C75A15339D525D48362ED770,SHA256=9875A3C15BC7B1FBB0B749D280873834EF16E5336CB9925CC8BF7CCDAE0C12A5,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.722{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\adovbs.incMD5=21A8AF873ACC06A30EAC8F5BBB7BCAAB,SHA256=DB34CB6AA57FC649B3E85493A8C7EB1A4B2F735A1AC81F869575276B08E40F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.720{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\ado\adojavas.incMD5=B179A31D27F5435E718A83BBDE1338DD,SHA256=8ADE1FADF31F97B06DEA745F95055FA380215695799B757F1FA166FD4547C7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.715{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\sqlxmlx.rllMD5=1D25138FCE56C3AEC53ECE04FB400165,SHA256=B648C66029DA113CFAED092FDC2043393834589F4072E429A61C7C6B9A68767F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.712{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\sqlxmlx.dllMD5=7AC681DDF323FDA82D3230D12C929A7A,SHA256=2E8EDDDE50E72634C2F88C654E3AEE4649789C093F57C561E9DAE39F15760614,IMPHASH=BBAC24B58487C0883B410B32D2DF419Ftruetrue 11241100x8000000000000000261483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.712{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7AC681DDF323FDA82D3230D12C929A7A2E8EDDDE50E72634C2F88C654E3AEE4649789C093F57C561E9DAE39F15760614BBAC24B58487C0883B410B32D2DF419F.dll2023-02-01 10:53:38.712 23542300x8000000000000000261482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.706{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\sqloledb.rllMD5=2795FC4DB1D7D86F40D06769B6449C9A,SHA256=F574F182297AA4DFD1001A6722264ECFF63D6201CBB6FAD62251B5CDCBF8C150,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000261481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.702{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\sqloledb.dllMD5=99D31C14115F1EEE6D9E49A8B753AA80,SHA256=9C0907F97F1BE002FADF2D979BBF5FDCC7A3866C6E638499C18509219600262E,IMPHASH=70B8C1DABEC2610341238B4EC8E70362truetrue 11241100x8000000000000000261480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.701{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\99D31C14115F1EEE6D9E49A8B753AA809C0907F97F1BE002FADF2D979BBF5FDCC7A3866C6E638499C18509219600262E70B8C1DABEC2610341238B4EC8E70362.dll2023-02-01 10:53:38.701 23542300x8000000000000000261479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.688{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\oledbvbs.incMD5=99F741E7D56E250B13C35373790E58B4,SHA256=25487B77D411C4BC25F0753027B0D28C54F592186957C57C7785B25EEAFA3827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.686{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\oledbjvs.incMD5=F4B4B2A82BCEEAC2290DD190CBFB11E5,SHA256=42CB394D1803898E3086F8729548EDB6FEF178AC46E2C61549D956D5B1607010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.683{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\oledb32r.dllMD5=DF496F4298A0F3E98FD6185879CC9B46,SHA256=BFCEF8E899B1DD1770A7B2FA9AF58343AA602AE8F4C95E928B908CE33368CA44,IMPHASH=00000000000000000000000000000000truetrue 11241100x8000000000000000261476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.683{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\DF496F4298A0F3E98FD6185879CC9B46BFCEF8E899B1DD1770A7B2FA9AF58343AA602AE8F4C95E928B908CE33368CA4400000000000000000000000000000000.dll2023-02-01 10:53:38.683 23542300x8000000000000000261475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.678{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\oledb32.dllMD5=2E0D8E8BC7827A84A3A2F57D19F7FF8B,SHA256=D42F6E9ACA561CEA62B2203EC4BD994EFF3EB6A7A2ACF8CE084E4A073E2DAF22,IMPHASH=A09B8303CAADE20549BE153591374A00truetrue 11241100x8000000000000000261474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.677{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\2E0D8E8BC7827A84A3A2F57D19F7FF8BD42F6E9ACA561CEA62B2203EC4BD994EFF3EB6A7A2ACF8CE084E4A073E2DAF22A09B8303CAADE20549BE153591374A00.dll2023-02-01 10:53:38.671 23542300x8000000000000000261473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.659{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A89D7A567DE10FA9F41A7A7A2F974D3,SHA256=8D1FC8C4BE861E302BE8BD48F5529EA2AA2222E0470524CDA874A8D06B356EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.512{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\msxactps.dllMD5=CA262EE35C6D8F4BF20BACE4BB6020C2,SHA256=53EA0D7AD6058C4010ADC391B67BFAC9FD71A05A37C72102EB83A5650D62CEE0,IMPHASH=B667102E9B5EBF99C33C320C31707AF8truetrue 11241100x8000000000000000261471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localDLL2023-02-01 10:53:38.512{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\CA262EE35C6D8F4BF20BACE4BB6020C253EA0D7AD6058C4010ADC391B67BFAC9FD71A05A37C72102EB83A5650D62CEE0B667102E9B5EBF99C33C320C31707AF8.dll2023-02-01 10:53:38.512 23542300x8000000000000000261470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:53:38.509{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Program Files\Common Files\System\Ole DB\msdatl3.dllMD5=48A32A2F7C526DFD4B810CAB6E1018C3,SHA256=4CDCB06C589E7568