23542300x8000000000000000198869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:01.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD2BCE36E39BC17F3669976070B0D78,SHA256=6D088E6B4864120B447AF6BB46816BBC233363AE762E39AA20D264EC5D5AB31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:01.679{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F4781CE21F21A0ABEE9A8930CCC1AB3E,SHA256=6CFBD43568EDCE4307942F2BF697ED4DB74AED83F3FCB542D20CF7F2BB360800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:36:58.486{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57099-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:01.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8567E758877F100556535283B293D0D4,SHA256=0E69A54C42F3D58862BE07B14E580108821565F842C900B6119D060084E76D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:02.979{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508E89195AC37F7440C4449C1DD7B335,SHA256=BBFD7A90345925DEFAA879E84B785A61BC3A4DF09F18B296A1FDC5280BCA78CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:02.127{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDF4FA0A1F5923370F27CD9C98E8E33,SHA256=9A82BB56C66E99350B4CD16D6B1269C2D6DFE5E59C4084128C701E95B2DC5904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.997{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.986{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.972{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57E5AFA0C37B6F0EF81A00DF6CCD2D86,SHA256=FA524206D183B8590524CC4374884B019415D83B220BDE05C9E2251A824CD5AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.971{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.945{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.932{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.924{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.914{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.905{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.844{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.842{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.254{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8020A1434BD8179CDDBD2A503BF0719,SHA256=3E4D350B31D776D4265E2C34495BC25968183003E6021D555C3DD39421846F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.930{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49EC12A76C11C3993701D1CBC75757CE,SHA256=4F2D5AF7296F62071CD57818DC98D54F565FBAAE20B4361ADDAC42AA09A90BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.466{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.463{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.294{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8369EA5EDF8BD21669C4CF2A4BD7C9D,SHA256=118D5EAA78E407524C769CD74D6D42C653F3ADE34EE0D52E55D00C7677D661A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.827{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E37392DF69EC266C4A8271003AFE92E3,SHA256=D4EC148C91DA211239FD57E3ECBAAC629E03F59F125042309375AD757DE3AB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.067{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB97D740E34442D8E917EF9A8E05C7A,SHA256=52FCB0B1668DF90E4F37EDA181699C9D621648875DD90B74F7723E06947D6D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.084{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.080{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.072{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.065{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.061{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.046{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.037{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.034{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.032{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.024{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.019{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.005{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:05.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A73857E3395C9FA4F24E3705E0172E,SHA256=EF02883C93E2F665EB7D175A8E16A5F6D3C822B8732FA42EDC03B7CADF7AE71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:05.172{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB29CB2FCDCE7A4BFC15D3B44E0E5F4,SHA256=AEF07F4C2B7C6A0DB8F95127D7C5FC9FE87D8299F37A47336D6A9E7D1A0FEBDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.906{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59647- 354300x8000000000000000289088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.904{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local63201- 354300x8000000000000000289087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.899{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62635- 354300x8000000000000000289086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.897{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62461- 354300x8000000000000000289085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.896{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local54475- 354300x8000000000000000289084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.892{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58434- 354300x8000000000000000289083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.891{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61487- 354300x8000000000000000289082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.888{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local63279- 354300x8000000000000000289081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.887{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65292- 354300x8000000000000000289080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.885{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59966- 354300x8000000000000000289079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.885{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51284- 354300x8000000000000000289078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.883{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51804- 354300x8000000000000000289077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.883{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60833- 354300x8000000000000000289076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.877{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52732- 354300x8000000000000000289075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.871{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61311- 354300x8000000000000000289074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.869{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local64735- 354300x8000000000000000289073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.868{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59276- 354300x8000000000000000289072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.867{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62833- 354300x8000000000000000289071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.867{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51111- 354300x8000000000000000289070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.866{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59255- 354300x8000000000000000289069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.865{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52831- 354300x8000000000000000289068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.864{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59718- 354300x8000000000000000289067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.864{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64186- 354300x8000000000000000289066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.863{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61957- 354300x8000000000000000289065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.859{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51599- 354300x8000000000000000289064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.858{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59741- 354300x8000000000000000289063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.851{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62786- 354300x8000000000000000289062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.849{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60271- 354300x8000000000000000289061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.847{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59339- 354300x8000000000000000289060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.847{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60474- 354300x8000000000000000289059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.844{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local64341- 354300x8000000000000000289058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.842{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59206- 354300x8000000000000000289057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.842{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59206-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000289056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.841{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50443- 354300x8000000000000000289055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.841{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50443-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000289054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.833{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57102-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000289053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.833{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57102-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local49666- 10341000x8000000000000000289052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.503{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.502{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.500{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.400{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD8A63ECB23BB106E9314DC4CB71C9,SHA256=BC458F501F5E7721B0491CE6D96BBC2312CEE42C0485ADF5A863C0B888868028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:06.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4976B3C1D53DC79A9832805FE460F6,SHA256=C09B8625F367D44919C2A731CDA5D69C36282723FB773D01D5D583FDC0C1408D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.364{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57101-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000289047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.993{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57100-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000289046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.993{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57100-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000198876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:07.352{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7C2E2AE7539A5876BBD1C1CBE51E21,SHA256=DCB735CD7D3766DDA560030FDC783C14FE4D83109841C3CF4FDDF28F0577CA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A207B67262B9B6A1ECD83111D39ED2,SHA256=85DAABEB98D5FA5BD2CF0552F40C612E90998603F9F8A096AC546935F21400E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F6406B5B466414724F04C3DAC005E,SHA256=22574AED601A4CEFD89B79CE3357B36383641B32503DC7284ABFAA251B6B78DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.262{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.262{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.260{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.245{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.239{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.235{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.229{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.222{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.216{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.211{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.210{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.206{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.200{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.197{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.183{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.143{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.129{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.128{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.125{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.098{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.064{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.036{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.023{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.022{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.019{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.018{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000198875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.344{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:08.443{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3D2746B0280A30CB52B60FBD10386,SHA256=84D68B1BC8D7A64A6B16F40E1829FB62065608BCE29B4FF63421D5A97E3121C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:08.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AF001E9CFA4EF9D2C450D2118B758,SHA256=E7D9DD964266BD705001D72C0AF8A9809156E1476CADB5FE733FB7D1CA821454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.917{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51046- 354300x8000000000000000289125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.917{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59846- 354300x8000000000000000289124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.915{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local52191- 354300x8000000000000000289123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.914{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65378- 23542300x8000000000000000198878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:09.540{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69680D2680397E30C74F458E10A7208F,SHA256=F968888DAB5AC0C377CD07369BF7DD6AB48A60BE5003B5DB599B96D6F7C1FAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:09.852{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3336573FAA8BF312F03BA378E085E48,SHA256=C30DF261B335374B9719BCCF99609FD95B88483D946B2A28DB74952075F8D541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:10.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A872847B1069D9F8CE591FE568B216,SHA256=94BEF60710D0249A60CFA5B679A29079A04A4FE605BBCB9FD194914C2505AC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:10.891{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC5DB0AC27CDD2EA2DC34C6A1238AD8,SHA256=6AC47BB3593F0D203DAF5462AD9B552ACABA14FFA3365ED1DCC1CFFB4A9CB8D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.866{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.810{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.804{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000198880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBF56A7B59325DEAE789C55A41822CA,SHA256=DFEC279C352210E94DF289270824A702D43498C75409E62C0FF02D2F555B0D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:11.924{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D82DDA1A1E8AF509B364A33D2E63956,SHA256=DE6AA83BDA2AA79ED35F1402BA3BFE8AA0147BC577014E2D0D9369DC9E9BAFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:11.126{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-073MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:12.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779E3DA29CE97ADAEFB9E933CB6EF3C7,SHA256=B5973A24770AC08ABB3201A41C9B3E561C4E7248257377284A39D84AFDD8DA29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:09.495{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000289133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:09.453{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57103-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:12.125{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:13.210{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040D0AB48F848207246797013B284293,SHA256=21B408CFDE15BC1015142FBADD511A2F9FD332FCCEEDD4CBB6D3F5A078929F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.351{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9561AD11AC46A7854D57198F9F1537F6,SHA256=5DA3AFE9F89FB9F3514C141BE72900A336A911F06BEA27D86E1DEA41195243D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:14.012{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59B5B8FF277FA3CD261912D24600D5A,SHA256=752241AAA159A5632F8576C1459FDE76129739ECD113063B94668972012D9E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:15.433{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E45008B825F42C90760CFDDC2BFCB0,SHA256=1BF2FB6E23E768D66F47F6B448578E980681CCCBBE91FC674754611DE3291BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:15.149{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68EC8BED80726A6694B54DB4EF53C98,SHA256=79E3B290B683C9628858416D47A2DEA11FF10186C4CDC5044D1527C1D95EDF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:16.535{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87386B81582D04042F22A86856BA9EE3,SHA256=D71A637F17719F4BA185A56B1BA7655E938EFC91915891AC038FAE49C2F904AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:16.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5F7C6BC266CA10DB1C19E4FB0614B1,SHA256=2610529BC154364A435B48E3632FF54A89F510AE78CDD45B1E502E3A2482FE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:17.616{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078C3CBACCC52E1A0875D6D2FE47870A,SHA256=01EDD95F162673C3BCE2F05C3369AC6C03A6E4AB76A2065555CC7C02AE8D743D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:15.433{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57104-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:17.234{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0026B95529630C2CFE04156506834228,SHA256=FC9AF62942EE43C2B65A9F6AB34A95F4DB6BA6F8FEF3014047B77B60F404D798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:18.706{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8416D922609ABE6FB1FA5183610D38B6,SHA256=0241A2F1008F6D9AD296DD2CE5B10C537B35105DCF3012B96ABEDEC445A9A714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:18.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF995FB9CF00AB2AF25121CFE4724E83,SHA256=39A650378B8C8F6CFD4DD0F9F4D40174A6D731F911033900276F45EB519A32D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:15.377{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:19.799{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CA85FB42D2B1E2D9D773FB1726F355,SHA256=C3EA0530CB0E47CCD863BBE0839F27C1FDDEEBD172EB26C633CC60D54F07D98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:19.337{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77CDB817F2FF4A462D3B8708FF07BC0,SHA256=8A999F0A60E2346F4B746E57D580A33276ACFA71091441906CA2D4A4CD995446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:19.674{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06B99E075C770F3295E0C2B80EBD29E6,SHA256=F99B2D46ACC5E5123B203B4B244258DEB2090BC5B704E505A42583ABABC19534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:20.896{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51A00F9ABA4C6D2BDFF3AEDA1374359,SHA256=9F93615022A35F7FBD610D68264C8FA00DF6393D289AA16AB0A339B49480CAC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.545{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.545{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.462{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E866A2F323C11D146CD6AC74464B7BC,SHA256=269DA393F3EC5FBFF46663047DEBCA97F9CDCE1272C031DF646735BDFEEFEFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:21.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA16EC95572D6F2E84389E7E037FF0A7,SHA256=9A1FF675299383D869B7FA54996FE6C4D163D46CB5D0D5D8E8A8123DB9D217D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:21.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D06E3EE631B770656688051FAF2B504,SHA256=EB6280EC0DA700CD00646CDDC98F578A81B97DDF032652A17050EE75ACCDA5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:22.578{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EAC297FE1E0722923F9EAB1741534,SHA256=15EF0C21C796E7C25DAC855AFE483B0A01C24C420765391CD36D992DBF0DEA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:22.563{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.578{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57105-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.988{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.977{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.968{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.940{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.928{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.920{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.910{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.899{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.843{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECF4F5A883719F033098EEE9C36A449,SHA256=4F6D17011E82A37D0F547D8A5AE012D518A94A20493FD9311C7CFC4F6A30BE15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:20.514{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:23.063{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E449599C9D8481CDD88F0860EF7E0DD8,SHA256=64F623622D4F88C43141FAFCA732E8A637F01012A626575A25EDBF9E32283648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED95222C38694BE9FD80B28F9312CC,SHA256=921316AABF978FDDC9669E5826D6B7F2ADB66B2E1D299E71705FD9B26BDBF860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:24.153{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86F0A8ECFE8BE59343D11EDF2E88A82,SHA256=E362FF22564FE44901324D0D231F5CC512633D5605D7334E2FC047A5BB6F1CFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.463{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.460{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.084{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.078{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.076{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.068{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.049{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.037{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.033{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.030{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.028{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.021{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.015{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.000{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:25.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7278910401250D272D9793293EB4C36,SHA256=144F2ED73000F1278CA245E7BDB7B68A63AB4D1564E6AD9CA46FB17EFE304A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:25.251{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FDE1E32C69F8E08295D94408DA484C,SHA256=1CAEB3938B88E48E34092A71F5F88C84F3F34CB73FDB59CB4892E838B6468BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.995{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.992{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.991{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.989{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.989{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.925{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08E970923342DDF4DA6A0F4EFCF3020,SHA256=F1EFD6E86CD4B3F4D06C3977C843E1114D52F59F48C59CFA659161C090741AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:26.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ECE01EADAC7AC21E6D544BCE80263F,SHA256=136ED70215B3CB4EDB4446784DAD3DD4AA25EB376F6A2C20F1143D769CD735C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.475{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.474{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.471{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.331{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.331{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.318{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:27.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E57934A81712D67F7BFDD6897F4F780,SHA256=3A820790C85CB3DF94B86D09CC90545205305798F88BDB57DEB06E722DCD90C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.688{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=191133D00F06479D992A761B930B7A84,SHA256=508F8616178D156C299C37182C0A22BB412D7F4EAB24F23055D6B7FFD8668B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.673{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=F15312A6AC9DD62E8DD470B6BF6FC453,SHA256=974DA5D4DEAC28B0F1FB56AACF3CEFA0EA944587ADC68FC7731DA52A67765647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.341{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.177{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.176{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.174{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.162{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.160{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.157{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.155{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.152{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.147{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.146{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.145{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.142{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.139{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.137{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.130{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.111{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.100{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.097{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.094{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.073{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.064{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.025{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.017{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.004{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.000{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000198933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:28.547{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D3B7EF78D00B86507C1A7553F354E5,SHA256=35719E87EBB2D234BAAC1B93275CB58FB36D8A2585AD21E42FDB2ACC6BDE3528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:28.058{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1759E62921B21BE2BC0D4A5BC1B4FA9,SHA256=45E72E3B70AA935C11D3A6981B70E365BA061ED19D3B1D05F6626DD7CCD5ADA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:26.329{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50586-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:29.689{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:29.657{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE339CAFBE9E0402C8331FFBE9BE9EE,SHA256=FF17AE9BAE33C3545CCA8EC223367ABEDDC2512C8D10A679E0B4FEE7477BE879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.859{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.815{30B46F62-5A49-6352-5903-000000008B02}73846184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.583{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.540{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57106-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.107{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19F16B67B6F188457360905FF5E71FF,SHA256=1DA8A24D780D8B97BBBBB4749D034188FA92C720491EC6E5EBCA4153A74ADBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:30.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FFF79D3C1F8AA8952168C30613607E,SHA256=7F26832B5476727D06FC31D5B606224FA048B2BFE4F65F1D693F1291A7D47832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.838{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B248ED313D4458B34154EA25C61BA3A4,SHA256=DA00A6F35FCD7023DA086C196EE724904F830E19618EA0BC39166D6E179920F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46E72D46EF702361BD8085DD429159A8,SHA256=D17A2D588177F3E5E026722FB4FD007A3A8E3EE8A08CBB1DF7D7687800D374BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.227{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E00E0FFE15A1EF653EA28C017C70FA8,SHA256=4E185BDA4E611385C3D4D3EAE7C7AF39F948C76E13E57FA3444DBE0E3E8BCF4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000198945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.835{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AC7FF7EB710F0ADE9B6BC6EC006839,SHA256=EAE5DEA022EDDD2A764BD486ABF5FD0E7A2DE0F6830EE518984BEAAF3D1D85EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.798{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.788{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.748{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.746{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 354300x8000000000000000198937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:28.982{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50587-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.907{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2909570496BB5BEE8CEEE42243296216,SHA256=BA7B6A9E6C02B3CAE62A0552C80A8CE5A907DB747B63D2115361F15E81E9DDC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.176{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57107-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.238{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494B77C998E88983FFCEFF6B7B203235,SHA256=3E1A1D162CAD0D44B730554E46C78A0F22C6A14E435333A9318893FFEBC6B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:32.886{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6A448B32635A01A89110393680298F,SHA256=31A653E049BA0612AB371AC48387EC3E69208393E3F552BD7F952B7C34D1E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.708{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=A466FCD17E78986F3170A11259340F52,SHA256=E83432514BE5B2B2A2176A6F603FA6FE2CB97D0469DCC14CEB72F32886FFB212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7A6D32585469DB5F0BE7A601110E26,SHA256=D9FBC02E27A165836A48B673070FDA851E608AB75EF098E8BCAA9488533513BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:33.924{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6E1A19FB159A67CA66FF9A63A6F299,SHA256=35619678CDF530A32F924B2D3073E6E2327F12F3C4DF0489A82812E6C676F59A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.509{30B46F62-5A4D-6352-5C03-000000008B02}32366356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.672{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57108-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.672{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57108-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAD514FC473125246A4CF4A14FD855F,SHA256=1D01C59A7E59BABF68B9AE985E46390C2E9D864DB4CB3BDB2CFF17769CA87760,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.421{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.683{30B46F62-5A4E-6352-5D03-000000008B02}75044092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.473{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57109-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.478{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.394{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E545B4AEFA45F61B8A7F1103F66CCC4,SHA256=E5DC6CC7BD9F3942BDEAFA15803050BCB02990FBE4F2A9B096481E35D4993482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.442{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD7645BD25A8A92A7F871831317C56E,SHA256=5785C06FF6356DA08DD121AEC43B113269A65070B2DDB327535820008575334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:35.015{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97733728E0E23D739D1B93107FCA3DEF,SHA256=2E363F439A40ABC0A92EE828FFE0330BE003CD6F7358A917E9E03675AC5FC5BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.379{30B46F62-5A4F-6352-5E03-000000008B02}76766260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.161{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.161{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.160{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.160{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.159{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:36.896{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E239388F0C9798506E715E3366E8B05E,SHA256=ACF40E23177E1AC0C9C4109A9103CFAC405A424890090356B7DECC66F719E253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:36.527{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679866598294C1D2CB1DE0313448BFB8,SHA256=B7963CCB0060ABB7A64688526BF83E8000681350043DCC788EE4FBFC127AEA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:36.105{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913663215DECFADE86BBB931154A7163,SHA256=509E2A75577F68869B4C6E7A5E778AC42D2E874A2627203893E2A03441101E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:37.581{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC83B05E7E5BE05A6C499F1CB0D6DA66,SHA256=6DCC9FB5F8674BD62B62058F721682FF044BAEAF2F1C67E47FB36CEE0EA65816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:37.200{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9532DFB63DA50AC2662DEF9C1DA847,SHA256=70EACDAC4F00A44A3612D954E0449E2465734B1E0A1DA19A00C4B7D3DCBD63DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:36.545{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50589-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:38.303{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7560206F9BB1F04B660B8C9FF192E847,SHA256=D7E7711F432C65D4950AF675D5D4F1CEBBD16E2F7C4815827FD4E3271D5F4C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:38.715{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74109FEBBCA3D018423FAB56828A8E58,SHA256=FBDFF90BE824827507E75915AF57F70C255E31CAC4AFBAF2F5D613F0B31EA895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:39.397{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AE34B0CE0081E7E2049854C6205B02,SHA256=EE7FE034BDE7BA96A45608D40D8B751B468EE3502EC1EBB1F417343F7C658246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:39.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686AF5D6427D7E16DB8C5D701F64A7B3,SHA256=377FD2A825095A97270490A1054EC650280EA5A6D2CCBC718D92153C664C5F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:40.475{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FDEAB95AA8D4B69C9C6BAD80A7EBB4,SHA256=901B0EDB3215DB057BE04BA8DB99BDF06561AC0DB81A7E37A119F80CA4B9BAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.886{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C8E7526159FBCADA5B46046A6B1B8F,SHA256=710F4AEC19E8D8DBACFC9E8402A970837F62336A3CFFEE65F21FE3D6754857B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:37.594{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57110-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:41.568{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF70DAECAAA1F68B7E0B671CD2E06351,SHA256=D9474AED42DD4AE4551A15B406159C85BC3E35685044B261DC00E163EAC68836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:41.951{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABBEFCB9DD76DD0CCB200EC29CF5BC0,SHA256=403D246CE625DED331795FAB413EED3D4555AD059F80D7C91729889E18107E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:42.658{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8823CFFDFD7F9802229CA81F83961C,SHA256=78DAF9A65EC42D07D7120BEC2F95211DB5708AF01A7C8858C13C6AADDDDB167D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:43.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8343CA733B478F1E7435C52DE90832,SHA256=45D06056B1502591B1BC999A8EB66ECCE60C8BADFA60C9CD3578A55C2BCE1F1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.998{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.992{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.958{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.948{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.941{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.918{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.908{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.898{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.890{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.881{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.840{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.837{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.051{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675D6150F52956FBEACEB2F5306FBC5E,SHA256=C156DC4ED4EA300EB4BA80944E9EC2AF2D339F1C52F51D9770C1D6311730F133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:42.490{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50590-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:44.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F514528229070995DB2CAB49E91F,SHA256=A45AA57CB53409A60CFE82EBAA896B52AA81236CA7CF181FD1E2D491954762E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.523{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.511{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.120{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD001AA62E08556A2749CB46BB7B8C,SHA256=59AC3FFF746CD60785859BE6129B87AC48049DB218E9FFDF8EC13264CAC60404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.035{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.030{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.028{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.022{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.020{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.012{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.003{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.001{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000198997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.946{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA8F647C95553CEB1F9FA9E7D8C9664,SHA256=CA15F69F964D59A08B4917A91A88ED3DC587B9FBD40F8A9796D7B03A223E17E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.634{EFF5EEA8-5A59-6352-AA02-000000008C02}12482356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.478{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.500{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57111-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:45.197{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B794A44E641DDA3F64FA94B54E532,SHA256=01B58B4DBFF179CB6648A26109252FE8A1AF2EA4672082070ED4FAC66BFBCA04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.563{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.562{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.560{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.313{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DDBA66D576C984CB99A70B6FBD6F7D,SHA256=B8BEF9A8EA1D9B3C753CE206CB6526A7B3B994FA7E8F77DC5A5CBFD22455881F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.833{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=817285FE98AD9670B70A6EC612FB5B4B,SHA256=9C18EEC6BFE32063DAFBB7B1EAC0D63EF8F7EE84D1A2C9C5263DBC2BAD9809FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F4017CA78DDCC86223308849F0129EAC,SHA256=0DC10B3A9EBF6A2DF07FE56D15603745CB18EDF51A9BF3A9769C8162D101EBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.307{EFF5EEA8-5A5A-6352-AB02-000000008C02}40283368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.150{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.429{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC7D98EDCC356AD3C03C61165AD28DA,SHA256=9C9D17FE55C1818C2223787CA5CB9781E9E9E969111992B27BF04324D5102FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.647{EFF5EEA8-5A5B-6352-AD02-000000008C02}34523952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.225{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95129C459E3C0A3471ACF97924B0487B,SHA256=3FD46FE86C11E2153566EF4E2774D58E4C9BDAD715C5BF0484101274592EF07D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.258{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.243{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.240{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.238{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.235{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.232{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.227{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.226{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.223{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.220{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.217{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.215{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.208{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.190{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.179{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.174{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.157{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.145{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.104{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.095{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.090{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.088{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.085{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.081{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.080{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.078{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.077{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:48.514{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E59D3FAAC2C0B5FDC1BD57F51C2C68D,SHA256=4F35A1352D45BBD10D97D5A018A36F62EA2B2707DE6C3BDF984DB6AEC5DE8CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.846{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000199056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.336{EFF5EEA8-5A5C-6352-AE02-000000008C02}4161996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.336{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9FD7C544020363A5798570C494E886,SHA256=3AB26D4AA48CA50883615485C3ED11418E8BE1B39A6E6CBD08B8AD017141D8AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:49.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3489892D6104A580B10DE96027473F49,SHA256=608DFA485240653D717805936AB3D8DF5DD9DA70C33B48D241F98668E09B03E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.890{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=435B7D0692E5E749EDBE3E3B64B92F24,SHA256=5062E7329FCF4C2657E749C28690E9F54ED41D2E8432341EEB88D15B933065E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.458{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015678C640FC042506253CE0ED537938,SHA256=9243DB9C64D54A483C0860E911B1D80064DD03C20ADB769904885D733195205D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.444{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:50.703{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F66B01CC7C58656CF99DB4445F8F1,SHA256=2A5EAFBE6C1799B0DA58DA208B82F8B92F80114403A0629FD63B5EDC36AA14E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:50.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D933DEADF8C1ADBC7E7FF35E362112C,SHA256=8FD889C1E561F8124919CEED0B3B4F432B112AAC9B41FF1F8DF5559D9784FDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.871{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.809{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.768{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.749{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.746{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000199087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C28673DF3D3B02818D602A138AA03FE,SHA256=2F8AE57E53FD72393F0DAF1DFAC0CA8C7877E655E40BA9735481461FCF6B93A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:51.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCDBF546558B152C6083AAC14B663BB,SHA256=981C331E14E907D372D6DC44743F68B43A67B76CBECFD47ECDB6B1F527C42CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:49.452{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57112-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000199086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.346{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50591-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:52.819{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC406B4ADE6AC1D0AA86802EFEB0E1F5,SHA256=99C7BB32D350FB15B2339C16C49B56E3E42EDE2617F89F2F5384F7215CBA07C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:53.837{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1D3EA833C3005BDAC7B095C70314E6,SHA256=C7EE6EABDD14D9DDAE3D4B425EF287B75CE1FADADEC9638AE71993AD6D37A284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:53.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD1690771D1A18A953F7F8253937CBD,SHA256=6893108D508A63A0563EF557C3D54BA0632F529E3DEAB328FCAC3844C1BEA97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:54.936{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5DB79279EAB6980DF17A1DFF2E4113,SHA256=02E6EEDFA0A2878549D767EE2A1EA0514B997F8589BA70F9ABCB9443CD3BFED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:54.367{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833615A838A37A7619CDBD616A1FD72,SHA256=3B6D3334EBF50AF6ACE4B0440BE004B6738722BBF3EAA19C6F68FC08AC02CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:55.469{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76EED35AC53C77E8705720CF708A0F3,SHA256=6BC065E812C61119FD962F836E8E78E8404CE8392AA06209E2396005D5E81CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:56.557{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B717DB2CCB7B586FB635B644487D44,SHA256=9C63D367029B90A1B43B338DC7B4EED70DE5A6D8459E4458DFF22A08983B8EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:54.571{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57113-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:56.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC8482A02BF904B32DE7FD5C36866BD,SHA256=4A69000E09757F9D66CEEBF345024763A9FAB1780C2380498C44F5AE715693C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:53.442{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50592-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:57.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803811ECCD2708DBB14705195A9FF195,SHA256=D972228C50C8C991367BFAFBF350A3044AB052E8BD9A1A923EFAAD4F86AABC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:57.138{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4B210E01100994BDBBF7214B52FC88,SHA256=755DCBA75B7252460715FBA284B0CD6A11060251ADBB16BFB7A876E7E569D687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:58.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF228A48E5F6D7D37781A85357DD65DE,SHA256=C1A9E7F4D447464F10A1EC06C9A4C7410A8844352BCC3DC6BC211F31D55D86F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:58.268{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691CABEAB9BBEA10C597A172CF908C30,SHA256=95BB6CDFFA4D92A62BE00D6712088A484C2B659C5C3F5267EA9A6D360E4F218B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:59.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD01BC747F4938B761C8560981D57CD,SHA256=6D14402F5EA2B579A5F71FCF30379E04AB721BF021E6D09FD4989ED758EEF599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:59.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034305FFB18CB79D88F56CB6743CBF3,SHA256=5D094822FBAA1653B99D60AA45076D700350A044E300BF57038434F93EA4BE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:00.929{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3BDF7D1E156015DE2E19629FCAF03C,SHA256=5200870A1D731495AE96F51264AD3C0420FC059CACEC0EFB2C51DE9F69991CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:00.407{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66BD242FB48DE71A8EF5D0E0CC96728,SHA256=9EC8ABDCC2BA2DC7047A60F4A693455C62711C09AB374A7A5A8490A9EEE02F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:00.618{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-074MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:01.538{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B701633C5C02E27784387FDE1879FFB5,SHA256=5578FA1BE283D2A1C8EFD31983E09F2940B4915178C7DB9D87FE16C9D3C068CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:01.620{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:59.371{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50593-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:01.139{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E467180CFAA12EC73A83984C9D6E9AA6,SHA256=F12C6397D2B75CDABA2451FE10354FEFD7FB19CDA07C15F3D0900959F63743F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:00.542{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57114-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:02.656{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EA0070828EA60696AE32A47BA3E468,SHA256=07142B65510296A1FCF346219FFFEBEB89FECBA75C431800E1974C35DA97CFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:02.008{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0983F11811417C0E51222C523844C9FC,SHA256=45104DDFB5BF6D5C929FDD617C91B48AEEA0E8D6420F0B8BBA641247BDFD8078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.995{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.987{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.970{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=016451A3784E1467F969D2C46A4FB92F,SHA256=7136B4FBD6A5BD654353B188EC99442836361E0099389CF9A801B49D759EEC3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.950{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.938{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.926{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.916{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.902{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.841{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.772{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F06B491E590ED54CBC24FCAF518CCA5,SHA256=2DF208224A0C6689AE96356B8451FEFF399EB304A18BBCB7AE5257EF1E22FC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:03.106{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D777215BAA7551BC572C8513D8CB9E1,SHA256=295E1BCEC951683C74B81DBF64B8CA3C134E86BE698908ED18BA3DBF05B864DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DDF7CD5D148740A6808F7F1E78F7F6,SHA256=CD388F7F7500EA7FDC9F1B1EDB359E529799A676B98B54523AEC6591942EFEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:04.833{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6990D4AD0C1A1AEFABAD48253F79B3B5,SHA256=9D977A9077D5D4ED3AC0C28208022671F34784F7A85E7C4512389BB4A53F959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:04.205{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA00B13711130D09A72350E10270646,SHA256=129F557CA35E85A41BF630AAD7824B0E64A70FCBBEE2AB9EDACCA72D53692881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.584{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.581{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.122{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.099{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.097{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.067{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.059{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.057{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.046{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.018{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.007{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:05.927{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6639BF80A134B35114F3006167D326E,SHA256=22AED4F08AB59D8514C79D6455BFD89C10B6D198B35CFCE6B59E63DABC40D716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:05.288{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAD55F961763DC5C1E98657EDC3CE66,SHA256=8D9BD18860243335CD5BB5524977DD47113EAA9E1857DA7F9B88A975F187EC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.995{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBA45C3DD51886463D04F2689C3DBF5,SHA256=B1C1530B8C8DF29B3D70D039B775EDB37AC80B5DAEF714B4CFCC36094EFFD28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:06.375{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60891085D7D7E98B6F036629C6981129,SHA256=52143B0A88C82504CA81B80CD47AEE235BF1B6720275E480470CF82BCD59C4D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.614{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.613{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.611{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:07.468{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A992C1B28597663D25541562BBFF73,SHA256=59CDDC281EFE9106D7D904C714607E101F27094A554F525D565219A8ACA52448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.379{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.379{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.377{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.364{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.361{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.359{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.356{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.353{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.350{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.349{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.348{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.345{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.342{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.340{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.323{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.294{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.281{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.278{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.276{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.250{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.230{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.202{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.191{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.176{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.163{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.130{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000199140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:05.328{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50594-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.556{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DF7F0A8446F8A9D2598497F85EF910,SHA256=500D422C472E14DE32EFAE84F805EB016D0A8AD6912D86E629A20266A231A901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:08.281{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5AF6ED5B2A06EB8B612D19763322AB,SHA256=E292CCD83F4FF59B652A0D18FED5EDB3CCAB3B2CC5E8C7B0A74E40233E237C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:05.562{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57115-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:09.646{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C568D73C02035CA4EDDDC7FCA68B4,SHA256=583ECAE49E624594606243BDD58BFD6C1E7054ED0C439D5D6672138BD449236C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:09.384{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB0B8E1AD4B060FCD9501DB07C6FE7D,SHA256=0451DC38DA3E02862B56FC1C76A09A98BE0F7A74566B3475FA0E8FE8F8869E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:10.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D702784F689DF3DD2780E803170D6F8,SHA256=D61677778B7E5186CA49A5A531B8FEB61B7104E02144E940BDA69256C37EF2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:10.485{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF01F473980CFE32662ABDE9C109994,SHA256=BD62B2A0CD08CEDAD9DC3BF4C9FBAE5E88C42F2E7BDA8744EE504FDF5D161E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.968{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.962{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.888{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.883{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.823{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A3DD55C6CBB91A86C7EFE87A8FCDA0,SHA256=C79180223775F83BD78F3A60B5564B2A8587726341C5A7B1CF85DA2E3E086DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.820{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.808{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.799{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.788{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.779{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.776{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000289489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:11.603{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B1904B1D2E6B4E821ADFD4A59D7FD,SHA256=8BC2FE5566ECDC35F7522EB481592AC0CE4504286296915FB86FEB2AFB5DC862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:12.961{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78A988D63A5C507231BD8E35C59BF5E,SHA256=3F1AD6FC5289B08D213FFC106EC9DA9F0B0D7A4C1356909DBB4262524A6B4BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:12.724{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE73A2F7B35E0708B826BA7572A05BE,SHA256=A87680FA16F3B0F92960BF36645B58C51FCB9EDB5E9B6C0C5B30D3DBD42F1EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:12.657{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-074MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:10.561{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50595-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:13.740{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFA371C7503BC9CFA3A9ADECAAB4A,SHA256=880D491485F3E64BB49EFBF71608DC97F231EA7CEE93B4FA684DEEBCF39CBF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:13.657{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:14.757{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E98111657E2179138D66892BBD2246A,SHA256=2C79D205323199C4359ADDD5B1CB302A4E0856FBA2ECCB7C4FCC9DA9B41FF187,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.351{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.009{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D4507116CF76B712A8A6D14076A2B6,SHA256=ACEC3AB46D09D448AEF5105B3F10BA9DB27EE58D67D3AE31B41BBF90E89F50AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:11.590{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57116-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:15.926{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF46c520.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:15.888{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666A07E98F45DD85D0439CF104FF623F,SHA256=CF4D23C3CD4B13A457F08EAF7F56779F4D696D6D2873042E950F8120F4496455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:15.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82836F135140F1CBC420B92CD186D52E,SHA256=9BCDBCE80A20043FEEEB71B822FAD6DD1C80EA339635C08DCDA1BB5DF5576397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:16.174{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56396FEFBA786FEB9594C13A527A38FE,SHA256=44300F942E16466EA2ABF7728CE52E10089418878C2FA903996A8BB402CAFB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:17.276{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5904FD9A9CA493FEA318EA6226FE9BE8,SHA256=095DCE807B03F1BD644B5D50E932BBA26DC4232F6A526D0067D95F494E7497C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:17.007{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36104BE5CADF37144FDA8D7D110CAB3,SHA256=B0962DF87C8F4EA601B14F6369BC0F36F9D093B20CEA0EB030B0C0F1CB01E358,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:16.479{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50596-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:18.378{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CF48C0AE0CC97291F5008D816F9858,SHA256=CAD1A78D3817FEAA9861C34DFE1C5BC028E253325A942D9564327E40CBF4624C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:18.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AAC0D766CA2334BC926C0400214B03,SHA256=53C8124EE06C222D6B54B23C69E2A46A92A989DACE2A705295537941FED45638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:19.467{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E882FB7D620F23EA8EC24D175006CC82,SHA256=BA23DF6646105B65833BB7A08B115B007844A0A8E9BB8E3D0641914AE07B58C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:17.498{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57117-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:19.243{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF331A8E4E47E8BCB2624B41C7243320,SHA256=5C532619713713D1CC786B8EB27EE67C86AFC1E862717510E6B74EF89D871D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:20.551{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88042D6CE5F7291BDA3F5CCA4096373,SHA256=94E453568D3AFC401AC93AACB900AB23FB15EAD1B0285B8FD916645C5852B216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF02B5D3BCAE926C50736105D8C69109,SHA256=A201A55C0CEDB9D4F744C6124472D384E4B870CBA9785AA6DED3DAD0667951C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:20.056{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E366024613BAF0AC2E42202E7E625D0C,SHA256=7B8F6FF3B4130BF9CFB315AAE52F44FA71C7E1D12E9284285533568CCEBC003D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:21.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55B40F6BF801B902F52D54A31D9F32B,SHA256=4E73497CD2584916D15BAEA9693708EC61E76796776DDD4B809C15EB6F04AF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:21.375{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5985A47A9348CFAE7EA5364D3ACC90,SHA256=6175D240A537EE33533097E3F64BB2B2F777CF4478F7DE988B6CEADC39AA6266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:22.740{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FE57043C806FEC11DFBF1F61F4321B,SHA256=3055D82CDE6EE1EF160D27D8AD01E3A9EE93A9512B2D0392FEB2E78C905838F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:22.475{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2377FD9B8412D9C577AB0755551EE413,SHA256=9867182E530F54C39E0158F9F563B0E8CB417247B7C6C5338332604019CF014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:23.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E505C145DEDA9B6B56D910AB34278F8F,SHA256=51FA4D4EF9550A3C08B093C46A8BE1C69BEBBA0088FC5BC44141192822C51072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.966{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.936{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.920{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.910{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.854{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.852{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000289510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.590{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22835FC9951D46E3AB3218356F2053CA,SHA256=48578681DDD4026235FBCCE6E9A895BFFEC79F43090934CF4E1739555B80D4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:24.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0DFFF445A58ACE4B4DE6A2DEBB2845,SHA256=41200A9FE516B6885D2EB1D5782365038D69D35C20738B42FA2808B7044C7118,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:22.413{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50597-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.646{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142E5E78A15EC49AB4992D3D59077DBE,SHA256=FC1BA573F5D6F0742F6F59740FFA977620EEC9E8D82DF13994AA6D24E6A5AB52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.567{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.563{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.168{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.159{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.156{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.145{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.141{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.119{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.114{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.106{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.103{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.095{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.075{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.036{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.020{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.006{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000199193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:25.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97941B8A0651B095EC8746762302CFB5,SHA256=CDCA887D16C7AA728EEB4F80B19E01409305306CECB88416883C4D7BF93A3301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:25.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1591004B5D8B5BCDFA9B9C67A20BCF16,SHA256=5042E2B5D74DA6542594C4E1D439CDB8A4A1CAE01D581F82705B086088775496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E85E10939ABDC02495D559BC767CDC,SHA256=C4C03B4B530FC8D77B62759A610F8676B320900D2EF88462231A64A37272F7F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.598{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.597{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.595{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000289542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.429{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57118-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.314{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:27.009{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA1E7161BEE11E2A31F35C59D5A713B,SHA256=B5B73861E522BDDEC007502A0A905DB9D29451300DE23CF731AFC73C211BC746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000289579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF46f316.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.390{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.390{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.387{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.373{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.370{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.366{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.363{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.351{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.347{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.344{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.343{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.337{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.329{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.323{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.311{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.273{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.259{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.256{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.246{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.221{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.190{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.158{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.151{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.139{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.128{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.124{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.120{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.118{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.114{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.113{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000289581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:28.135{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D15DA550B89FA083A4A1F290BEB9E,SHA256=2BF8E7D15AD939C1892BCADF2C7CFAA57259E111AB7CAC861153B115B8943D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:28.102{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA615E96BF1887A768A6E9720EAFBD9,SHA256=E4C1F96F24C401F62E58D55C9C7A10338EB8300C9B53E5CCBD80D824075D2414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.720{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.202{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34E590C4B80C7704D5100C8378C20CE,SHA256=005DE7A27814C41AA3738F35ACB5A98B2B7A8682D2994DABF18DA834AB584873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.882{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.798{30B46F62-5A85-6352-6003-000000008B02}67847792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.198{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EF8895FA440CE1E073AE9725F3E6D4,SHA256=5AB7A611181D248EE4F5F0F1E93CEAF58E3A1376ACE6ECD859C47E2E184C1632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:30.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5CA4872B20B6DB259B9CB3CBEB603A,SHA256=4148C24B426BCCE978BB59AE60EA5FD0D555E8694C2EB651E0F1206206385C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.936{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A11D8CD71D2735E052EA95B3DB0645,SHA256=60F4581AF32E56C741E1F292DB0036561F8DA5CAFB1C3C61CFAF7D073473C937,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:28.503{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57119-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.351{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2FF5564AB010F02981622FF93238BC6,SHA256=06928423F3193461FC9A4D475E7934D2539E8CBC1D58B222ABE1DF3C4DA3AACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.258{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.253{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.252{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.243{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D93AC7348C948C831911A7528464889,SHA256=1CB3FC494AA1A42DA6C479466D9CC0C43AA558E66201E54F9D09D697E4526F35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.885{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.877{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.826{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.783{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.775{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.768{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.761{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.399{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793144494F5CACB6D7D0808C13AA0435,SHA256=35575DE7D455F02223D353CDB813C4E6E92D88FB5C04E432D553DAC7380A19AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.325{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE795049A7A9DDDC839B5ACCD26A783,SHA256=E436F9561338EFDF58AC1A0BB24A8D97B0530A0ADA2E2A3ABAE82A673A35CC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.306{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=64ADD695E0BD677F127ABF7C4D23977E,SHA256=A32329AAEE0B2A1E578340B025AECF8BB83425062726CB14613E83F2873F8CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.016{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50599-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000199199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:27.554{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50598-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:32.588{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20535E47F2631A46B9AD55D2DB033F61,SHA256=2C8BDDA77D29AF2344C9C807233D2918AF23198C03E4A90C062A7F6B09A14CF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.203{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57120-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:32.418{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D452BA50890B1FB44A14960BFA6B154,SHA256=73AC7DDF4464A3C0D5D97CC47CDD66FE36E454EA976EB9351B3EBC8EF79F42C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:33.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B21473C4422E5E98007DB73F8C9E22,SHA256=DDA8DC001A9BB974192E9E4B1CD5395837B08820499549D79906741E1B6585F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.689{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57121-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.689{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57121-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FD20DBFD07817484E44788BD214325,SHA256=3103B71B9255C0A2176B99352D42BBC76ECF7A8E05797E456FD7579DB35CD5A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.483{30B46F62-5A89-6352-6303-000000008B02}81206656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.287{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:34.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9DE040E73803F85AFFFABDD485353B,SHA256=6C8231B23F1D956A23D783C5AC0D8FD1D8633D47FF56664BA43BDC16C7BDC2DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.988{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.747{30B46F62-5A8A-6352-6403-000000008B02}77128048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.626{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14CD50A2EE69AE28AD94DD907E13D9F,SHA256=B624F3D1589A2EC5582E8811BE7C58094EE38BFCF9BC7AA5F8E795AEE5CD95B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.485{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.453{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:35.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFC5FF9E0EE204775B33A030EB6916B,SHA256=AE7995E43E7FBDF6F24285603FCB5A410FB1016CA9C8B4D323955DC68518D3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.687{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB019ED9E8C6BA56992FA462BB0A4539,SHA256=39B8887BE82D56304720FE740467256330FE828C7729B51798D5EB5FDBFD3096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000199234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:33.460{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50600-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.187{30B46F62-5A8A-6352-6503-000000008B02}81563416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:36.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB82D89E3A2B1E6D7E8B4422B95F615,SHA256=A8C3A77F9BD9BB13E59411EBABFD4BA39867B24AD96571DCD3A4AA19287031AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:36.719{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC179CACA96E2061A56913CDE2E1360D,SHA256=BE0B8D84E92B66535AD34F2F0F5DBFBAE8DB982F123E5D4399EEF3172F592F00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.407{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57122-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:37.819{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFE006B3CE768A203F986F2078CFE75,SHA256=CDEACCC2EEB02B0DD395816CEC4CB5A943D9EC5034753069AB42232BF48D25BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:37.083{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F0CE0E5E2F8D51A64383FFA8CCB18E,SHA256=6CD286741BF71ECA4CEE2F32CF4C2258E2842049D039B1C841DD98C139E0781D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:38.935{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630CB12A246E5546E06295A85F4A221F,SHA256=904D368406E74187B75833857FAA92585C9F6E5BEB36AE508F7005E16CCFDE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:38.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F8FD9052823306133E45E95313B187,SHA256=45B19524BF31DAF1840BBA54B3F8D102FF148A2FFC4FED64F42FF598B08F2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:39.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB61FE301C8A25BCE83C356F9F2B451,SHA256=07933C30672520B7D7C03D84AA5FFA3206093D5E12A9F2CBB0F92302A8757EEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:38.502{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50601-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:40.474{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEE293199C9F47F597129B2017B4440,SHA256=36DBE289DBAD12AF2993CC5A77C3BB30722508F734320F57A46DAA23B61FE884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:40.036{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEA0CFED482B94790ABAE84FF462332,SHA256=E3D051FD6473C7379F237D622B24EB4450C785B6BD47CB114ED00E390CE69EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:41.567{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDDEFD48709796E9B43B661D6EEE9D9,SHA256=43E901F0BD93C6F3DB04E7B5282E35C1EC6B9FCADEDB4710B119A56DCC1CB75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:41.054{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07801F0D827B8A7956B036C4271737D,SHA256=653CB374463CA90D6050B1644690AD5362698D3024D6A15965BD52B8153DCB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:42.641{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768AEFD51B1CBD9D8FB263FA242A8391,SHA256=E0D17C8ACE42E1696874685A109A2CE430EF8836D29F6EE4A56EF1CAFE92AAE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:40.410{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57123-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:42.157{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDC07477D04AEABDA24693527D7D481,SHA256=BFBFC26DB7C9046015E7B46B1F179F2231D1E53E59941D2B6801B5ADCAEFD4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:43.728{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BE013CEA3F5A33E3F14F71500F6991,SHA256=A5F00E6A248C14318DE662E4C8152E39BAF360AC5736B5CB2D8636711BDC4033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.969{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.952{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.939{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.922{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.908{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.841{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.837{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.276{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1319E9FDC5F3A2252A32816812797684,SHA256=57D9FC6B72A4313A9F6E7E4605C779929B9C023E0AABF4C5657D337829D854F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:44.824{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41BF30C11658C7E8A12B0EB76D40CA3,SHA256=AD6D6A47764F6992D61405EF75C4DB371891B002A1118E922729A67BF1FB8379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.518{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.515{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.339{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290A463BD6116C5804D39B8CF504971,SHA256=7368B913284CB352D5BABF9DB3DB65FC6FDFB108F8EE0A133E8F456FA2380C6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.138{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.131{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.128{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.120{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.118{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.108{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.102{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.099{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.096{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.093{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.083{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.051{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.033{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.021{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.926{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E011996C5A23AFE6EBB0D698411EBE,SHA256=1F7E2E7AF6680809636C4579A6D103E3D22A476D3875B26A83C66D63379B7ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:45.428{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93252FBCA7D3BB021FBCDADEF333BB3,SHA256=558F63F4BD2994CE680890722A32AF0CD39F9AB16F6BE45817513FD11C0D726B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.644{EFF5EEA8-5A95-6352-B102-000000008C02}19001004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.489{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.561{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.560{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.557{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A101854F99149C5B2FAA37C5FEA70CA,SHA256=A19FA4862C700F97FBD62E2FCCAC469ACC63411CD3B23DA6AE7C439F329EADB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:44.417{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50602-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.827{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EF69D9ACF04DC3714171ECDC3A3EF9,SHA256=BDFE780F3C0ACBADFB0FF229E61DD9466055FFBD405EDE709A7EAB09649900E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28F29151D70454375081274B14B16A81,SHA256=122B8B32309B24E2DF0F2B13971F7E5BB49423E5FE8FB061131EC9F276285750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.161{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:45.478{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57124-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.711{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94B7CDEBDDB38E4077A253A421F645E,SHA256=93EDD60C61B25B103D013878F26DB04AE86D8A3551D82219751306D4DCC5DABB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.642{EFF5EEA8-5A97-6352-B402-000000008C02}32323464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.502{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6783325FD4E601998B0B236A5C658269,SHA256=3863D0E160BB98E06A45C0CBEC1981A6F3680BA2585AA3113E137B6C7B8D1CA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.255{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.242{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.239{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.236{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.233{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.230{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.226{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.225{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.224{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.221{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.218{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.216{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.208{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.188{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.180{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.179{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.176{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.153{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.136{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.103{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.089{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.079{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.071{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.069{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.065{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.064{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:48.843{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385D474791E5049C7BC8F2C92CF57FDA,SHA256=DF355D4520C994D1AA4BEF697D35228A904ECEA44BE37020C5298A5BF8AE675A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.523{EFF5EEA8-5A98-6352-B502-000000008C02}35043268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.410{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B20FEB821149BE62F6E5C8938D9099,SHA256=A02478152173AD43D1AEC2DC8BE5E6540D2EAEE55385D919298BBFCA2C4E4CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:49.944{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A7741F1B18EBD3D5A8D15EDE0CA8E4,SHA256=1B3EF8E051C698CE67B81163A6F00708485539D2E5E86B2019BA2ECECB3FCD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.719{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.446{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D699562043D4FB15DD442DCAD366AF0,SHA256=2D11D60D49EA73DA9775597CA4348681ACBBD89AEF597C7252B926B4885A1151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.399{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F1C2795A2284DFF62A7DFF3A377243C,SHA256=4FA406DCAFAF6BC4C8EDF40ADC5F6E788CFE2B3DD02EDF5DA970DFF9779D6A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.209{EFF5EEA8-5A99-6352-B602-000000008C02}2748500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.052{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:50.528{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F082C01711CE51AF0536C6C6984FA97A,SHA256=32E86098C11B59AE4A2CDE9475E70280AA19BA7CB49A2261C81C6C7F2260A11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.871{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.859{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.845{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.838{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.831{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.796{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.790{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.782{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.774{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.760{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000199349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.623{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6886E191B84AA632386915E6FCECBF21,SHA256=D0880705690AAE9EC7FA7E3FEB15C1793B8F38E0094CED35BD45C9F8F2BEBF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:51.061{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862098EDA55E9DF44B708A68142C5442,SHA256=10EE28EEECAB2575396514C627E981BE469D7C7D749A65963BA5603544BC065C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:52.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D3C50E73AE2DBFA8B89ADC8A5AF54C,SHA256=8FA2442EF00D7C7415D015DF392AE095B20B41E062EA272F3F856923ED48013F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:50.580{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57125-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:52.228{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB7D50E157507F4F62E356B03095498,SHA256=741FAE34BD820E381348AAB98AC3490AD6283F832DF46118DFB78FC0773483DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:53.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4790DD546DD49BFACD4BFB780DA8AC4,SHA256=27195DF120177C083BC3CE0960BEC231EDE102A2E8C444E569CFA6488DB1B402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:53.300{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFD3CA454C18C2334F8037844E771C,SHA256=8A1ABB8123D08519FD9171835030CE007CC8E6991EAE0D74BA846A311FF37A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:50.340{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50603-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:54.904{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B80E05FE5B7B9A7B72DFF5BAE61466,SHA256=4156BB09CB171C5971661CB89CBC226941474125443EFE5EA1F7266B7003F24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:54.367{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA1075DFB03A344382C55594A54B59F,SHA256=E9C74F580F304E4A68DCE361ED22261344697D5342C6B433EDC3053291FC02D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:55.997{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC974721AF56B61F33E673DFFA353078,SHA256=11FD15197150243D1FD7FDA981F706A8018D35C10C5338E228BBCC4FF3C455E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:55.452{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6C1E244CDCD8F9A149DF027F967574,SHA256=9C249DD85E28681EFEA0D5A3D3919C04E3B8984EBD1CBD6050625BD642BBFE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:56.554{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D59E22BCEEE166744AA436D385EF16,SHA256=D73788EC42D1631929627E1D72C7BCB4F0110E85ED0B4D1F662E92D670278382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:57.655{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDBE9501031A1CA7D9BB3FD767BC05A,SHA256=2B07113183177D5F673C675FD0739BA9280C57B6DF289754A23BEB0F94C7101A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:57.099{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BACCD65C5AF4C1AAC3DAA076C0181D,SHA256=930E0B59EE950A7072F51ED0AAAF2DAE58467DD89522C1ECA4BEDD85B488FCB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:58.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127B50D322600D3F24D004F00BCA4047,SHA256=DBFA414E3CB594FBECC1E92A09ECEE13C0D26B9DC9A516FAD0DC0FD6A01C8DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:58.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D9905D5EFCE6D5ABD01C3744E05840,SHA256=FC7D8E9740A0D46B1C6B8D0955B1234CB3F4098371C9E611D870651825C2F25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:55.465{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50604-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:59.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7938F8C835FA9DF8CB28AE9A88713CA6,SHA256=0883259D32D5886FC95750C9CE0F715A199FF4F1DEFED2269EA30F903B07AD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:59.182{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31120B9853438A84DE55A635FB26581,SHA256=3AA96CD6A56BDB6BDDEB8A4291A8ED10519E79BDD2DEE986EB7DF58814ABCC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:56.509{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57126-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:00.815{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F67F16E6C7082C47FA1B403BDE45AC,SHA256=B8E9B9EF4C5D528EAF7F4C9BF7D538DFE489B4BBF19EDE24C1E1A11700CBAC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:00.275{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671B15BEBC1D903ECBA627310C6EB8DF,SHA256=67A3E633020811149C8B416736F3753B291A2F20BED88C18477F1B09AEF5F53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:01.881{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89BC646BB5EA6ABB82F68C95024C94,SHA256=E37FB322D363EA195207DDA2E266D331860A34B965A1AFDF023CD5B38CD993A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:01.353{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BA5C564A6E0C8DC564FB21C2A5B19C,SHA256=27DC501B73DB398EDD0A3D8A962645B0F5C4B23C87C73574CDDE87063F38D495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:01.516{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=886565B8F46A102EB6A26995A018F3DA,SHA256=F3E155EB026F865C6358D585D86AC5362808E53523E3C8C31E8A6573F3B45321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:02.965{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5A6841592B033375A5828694C15271,SHA256=47E666805F5217557E7C11CA3F78B8961E706A2B0BC8FBCD69A9C94B58B50B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:02.454{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEB4E121EB14DD21551D6DA16C3D4F9,SHA256=40F8FDD08C77C8E3E111EA63C7BA5AF45986E0B3CD2F4F01B844BD866E16E4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:02.144{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-075MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.991{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.980{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000199394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:03.553{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6021E228C0096BDEE06BBD65365854C8,SHA256=D1383F1FD3E5096301B6E70E7EAE99861E7B3113E92E425FDC0613AF1AB88E42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.970{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.968{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7C87F0E2C09BD5FA6FD5A26768B38B4E,SHA256=9386253B57BD13A6D8DDDF2837C746ED93B19195C5E60CC474CD116FF7FDF2E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.943{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.925{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.912{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.899{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.890{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.828{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.822{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 354300x8000000000000000199393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:01.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50605-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:03.143{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:04.844{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=063E77C41EC7490CF759781CC490B20A,SHA256=F5EA82485D1A40C929F094B5611E39291C9593F20C89F7E114E3A6C90DAA4CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:04.641{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8584D00C6AAC763A8D35B40D520F42E2,SHA256=396A706191CA8F3218F0810CA93BEAC88BE2092A7361F0DB5006B68ADC767BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.644{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.639{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.091{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.083{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.078{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.068{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.058{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A0B27BD3B50946219862F868D57E1,SHA256=B08C89EBB43E3544C58937A722FFE4FF6F2282DBD04B365541B0CF7DFCA87746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.048{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.039{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.035{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.034{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.027{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.021{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.015{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000199397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:05.742{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5081FF0779D73BF19EB6E829A31461,SHA256=A48BFB7B75DC9DD6F759A6097A9377EA75CFF086513DB5F56C3B63C6A8C4ADDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:05.091{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D44EA56765C3AC536E5FB1CCD9F70,SHA256=E7B897631759195D52E60CA29A607A0AA2E611148BC9E95D7AD12829114F6A36,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000289786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004784e6) 13241300x8000000000000000289784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0x31df2215) 13241300x8000000000000000289783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e528-0x93a38a15) 13241300x8000000000000000289782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e530-0xf567f215) 13241300x8000000000000000289781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004784e6) 13241300x8000000000000000289779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0x31df2215) 13241300x8000000000000000289778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e528-0x93a38a15) 13241300x8000000000000000289777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e530-0xf567f215) 354300x8000000000000000289776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:02.440{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57127-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:06.828{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8814BB33029EA2B10E7594A4D889951F,SHA256=60864490BFE41CA514339E675462538D247B42206D0A22A8DDE6101F0E2DE829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.675{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.674{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.672{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E5D2D3A356ACD886B5F98E6B131515,SHA256=BA3E8F8FA2A08F36C6071BA2606379BA1DF5CC83F239470F32DB4D64E14118C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:07.916{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C55E754DCBBCB1C5BD9FF0136C0C96,SHA256=073A5A7B320BF75C0EB7B54A39644D716EE1C9412738F5D882BCE6A431B2CB22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.363{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.362{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.359{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.341{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.338{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21163ADD2C787B1070D5014C06FA1107,SHA256=286EF27E6FECA964DC4EC33590B57AC49B2AEBBE0FC68896CF33565CE161C962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.336{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.333{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.330{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.326{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.325{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.324{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.321{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.318{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.315{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.307{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.283{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.274{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.272{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.269{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.254{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.244{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.223{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.217{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.209{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.204{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.201{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.198{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.195{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.194{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.192{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.191{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:08.374{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC04E59A83F551F2AE23EF1B3D7AD2B8,SHA256=7B878A596CA63AEBD0FCFB64472D6CB8DC764B9D57ED66C8106DB1706C0BADFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:06.453{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50606-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:09.460{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF026211EC18F401CBF6864F40703B79,SHA256=5C7EBF516D7DA5DA47C186EEEA53A9ADE5277D1B287CC113763B3356899500AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:09.017{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F640434513A7470782D9BB7507ABBD78,SHA256=DBE559CA26DFAAF184C8D2BF40CC54E06B33B5601EC923D020B3733B80C28D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:10.546{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E986AC11B096C21BCA535A6F852313,SHA256=3C2D063DCB583F7FD2F9ECDCD78FD2C33B92E61E0EC5EBA66E93B424A3CA176A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:10.104{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5550F48F52B642C03C4DC72D276CFDF4,SHA256=E3B292193E994C9A41C030FFAA56DC44E778CB9A83B667EFA8AAE906A94BAF43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.565{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57128-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:11.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B691A2360313CD8DB152E65AECC93C93,SHA256=F122BB6293F970264B51DFDD899EAC3529809F920DBA5C2FFF5856453C60F003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.986{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.813{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.801{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2124A856D81E17FA2F250DB7912F7FB3,SHA256=0C883059CC19A18D1C95714AAE6C1DA9C0F19AD21523E6299FD88347FC888EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.501{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACACD410FF0D16F7E149990CBA579459,SHA256=D0C09C2735CDB2B2F17BA5E021A87DAEED1681B2999D7FC3BEF93932BB8AAA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:12.697{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FD7360A96B6EACBBFCDC4602CE3915,SHA256=37CAD287D2DD3D106840B6D9F46BFBA524AADF460EA4BF2B250455402867B603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000289830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:13.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85BB23F3810F15CA06AA7AB3FFCBCAD,SHA256=98B44E4A7F7AC7BE1994C0981E2EC2AF0A8BA6A3860E84C127CAFE2D8FFBA48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:13.588{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC73BBFEFEEB753D6EE7B333E40C047,SHA256=D5D7834C4B3EC73EBED530EA79956D8A27D5C8D5D483406EDD05457C6123482E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50607-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:14.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3591AD488EEEE9515BEE8A54AD5A86,SHA256=DBD090AE58E17CD87CB55915EC0476AAC545FEAE3C66FA5F84CEDBDD762170B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.561{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A480356BD05EF8B6A72BC64730DB947C,SHA256=9E5B63FD2CE5564C56D90248DDEE312B89D6C75C79CAE79AB9943E53E071F647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:14.171{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-075MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:15.658{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13E07CF5E7520DCDFD9B398898206E3,SHA256=65CBECC1716ED45DF7A5699A71521057CBAD03AEC5559517E80E6B6166C6B21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:15.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A3606E3A6607F1767315CD162E481B,SHA256=49CF2E3F742317555D03D5B0257AD0F329B245813F601CCD33AA98AE3DCCFAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:15.171{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:16.752{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3439474D27228BAD81A3165D1142A4E3,SHA256=40C098FEB1F189231EDBF7B59400FC6CC5668EE2E819312709C1B74BC82DCC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:16.990{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB4D693B2D2C516FF4BB45B5849A256,SHA256=008DDA54D9883E79E0EE79126B7BEAB6ACA681622BD6E2167C1C727D63F8CDE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:13.491{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57129-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:17.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D3E4B4FA1B660D439E9661A321914A,SHA256=2B0887A8FE5F6E0701599CA07FC347EEAF39F0B9134DE7A82C410557B791954B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:18.946{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6688F66E3D5E93FBAC8F6F6F9E1711A,SHA256=7AB5549B4382814929A1FE835C51C3C2232A7D6431A8F33BF2C364088429FDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:18.075{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491FC5E1F8A40344BEE9189F93693408,SHA256=66046273D9111A3601C8D0C8C57EB27030BF5EF0065C5811A880D80E380BCB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:17.364{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50608-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:19.570{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C01F1CA03D3996607223EA44B25B0B2,SHA256=D60A1E50CCE63B4594322F6E810127F523CBA3AF7A01037FE124D7F1EB56B576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:19.111{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D772DE38021D341F969035F49A3939,SHA256=0F1C9DE39E57F13ABA5AE6C2F61B2D29C1FD6739BD1A5092CEE0FFC00850C236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:20.023{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25E835D68EE4DC5EDFA5A92D9A402BC,SHA256=BDC6535989C88B3148E433932898014CF9D3F230B20B70D075F135BD2FC4ECC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:20.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E1B0A8A7EA79D54F325D9678906CFF,SHA256=A8F6D51E53CD41BE8A666F062E10AF89CC367F9D86FD487B9418A7457ABCD8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:21.118{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E341CAB42123DEB361FD8BDEE0DEE22F,SHA256=64CD9859B0B6B093AD1A399AC5010AB38DCBDC292C47F9AED838D5AD39B530A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:18.585{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57130-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:21.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F00150EA27E9D73996D258D269EC13A,SHA256=F6FF0CC6513ACFBC603D9E8A447A7A39DEAB0B9094C4D2B19A62A7291541AF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:22.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777BDD07AADF033A05CF369C280FC623,SHA256=86A4CCB8DC46D578C0F7A6395C88AF020AAC2F2CCC77CC9699A3C5F731E778AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:22.298{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD39BF01377F8E2CE614377B9919CF7,SHA256=16AB078B2FF1D555B369A52044D110C235C140F0120408357E362C4571288C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:23.293{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6411A3EF86A0F7379E3E36349396A8DF,SHA256=C881B5E75FD214035CD6B90CC66D15B9A6F87C4D326C9EA25837630F408CBAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.988{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.973{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.916{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.907{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412576DDB58025BA717640D005D26123,SHA256=53F162AE5ABF79D542CCAD2B923C95668A1052A1285EE2EDBD6AE101A5E7AC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:24.396{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9487AE4B0A778B53CDE2C0235FE49B,SHA256=18FB6544D5AD67FC0FC8AA5D616E0343487B9437DE4C8EC69EB3C695311ABBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.614{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.612{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.400{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965C865FE54AD9C61E6F496E63FCD487,SHA256=F29A5192BE6F847322AF517335FA1A4FD5F814AB6F42B0DA69098AD7446718D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.242{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.231{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.229{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.222{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.219{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.207{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.194{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.188{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.185{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.183{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.170{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.161{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.135{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.122{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.103{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.089{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.029{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.007{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.999{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:25.458{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC44941ADE3DB89DC3C82F99ACD69B,SHA256=4D9FB3289D4BAD25114D6F63F99DE322C700E5EC5D9D3080CA5ECDFD169AA6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:25.486{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7376F3029E49DEA1886087A1563230F6,SHA256=9DDE7EBF3E112168F24732E74CAD0BFC89E73772680DDE2FD8FA9583B09644D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:22.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50609-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.649{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.648{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.646{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.545{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DED1DB0EB595ACDE5BA2AD953A9CBA,SHA256=7E23D2D6BE226AFA2A1501CB4C0DA691F064DF440F3C7E8572F90B413A29D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:26.587{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8197150A145804ED5354BFCE69EAAC46,SHA256=0CBBD2788D9AD76F8992F6D4D638613885FF1E298F1D1BEC1A180C9FE257944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.312{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:27.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76F9C0FE53091B95E00A3F857208E40,SHA256=EE47F6BBAD4441A887CA0106D1A82AD2CA07009BA2F318530ACE1E63188DAF70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.463{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57131-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.370{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.369{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.367{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.351{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.349{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.346{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.344{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.340{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.337{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.335{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.334{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.329{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.325{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.321{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.303{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.268{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.257{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.254{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.251{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.235{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.227{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.195{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.189{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.181{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.176{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.174{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.171{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.169{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.168{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.166{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.165{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000199456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:28.786{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A60A063CFDD88ED8367F2B7BA172E4C,SHA256=D1E9B79A85A343F06296E1CAA787F49142DB4CA24E977862E7DB910149142757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:28.048{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791088BD2F60DF9F497A121294765FD9,SHA256=51767EA59D1874C042F5E7C75811951FA5D8DBB8902C36098283B9099BAD7627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:27.544{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50610-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048733B706B59F407653816E67B9B0DA,SHA256=95F730F5C9991A9A7B7658149B932A6FE543E3E6E310381542E688E9A437B36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.899{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.798{30B46F62-5AC1-6352-6703-000000008B02}41728124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.583{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.066{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F8F0E3EBF2954DAF64072DCD9718FC,SHA256=87B37A75980F4D86D5036C8E8914F442EF337F48FB661CCE60AED4A7FE4BFE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.741{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:30.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1104B8AAAAE79D76A8B6F43E73AA6314,SHA256=C4A3DC3C8BBBAD03596245DD784986D6FC6E2E6786101D5166ADBBA1DDCDCFB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.037{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50611-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000289941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.855{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76135BC837B2258BB647AD678349D4ED,SHA256=BB514DB228140CEFB4BAD22486C20FA5885F6828F5B235873E9A03933802ECDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.236{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.108{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25057D40521396D5FF26F1C7A62A5C,SHA256=ED048A5EBBCDE982C5DD1E6F64C4C7F328974058C62DF7F384BA9101A2B5AF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.069{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=683672C4E918098F4E30BC5DCAB109C9,SHA256=2181FAD0777E6C6485FED53323DA9934D5F2EC27966F7FABA56D1F994FE02415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.956{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.886{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.884{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.867{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.823{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.798{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.791{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.782{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.762{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000289944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.603{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8002CC3A7AF18CCCE281946F41C3EADA,SHA256=EEF561F46D12C981A67D961626E6E696A42580EF1A69945C9B8D03EBF336C07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.222{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57132-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.178{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC8C45464AC043EBB0A66DE85EECE94,SHA256=C5600E13AB16C4BE2E92E483954BDA225F943F25B15A0632702C0EA7CDECCF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:32.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4317914CC8D1027E6C989A1F6CA038B,SHA256=6DA14AC719926F2D518D57B5528676BBA79F5492121D696588421683B2B33067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.376{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57133-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:32.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFF07EE3804F506A0FCFB60AB9CDF1A,SHA256=7509D0CE419D856B205CA017FEADFDDA20F6E509C99160C9EB34B37452E1B3B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.475{30B46F62-5AC5-6352-6A03-000000008B02}24362536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.290{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511DEFD09196D5BD5283C6358550F1AF,SHA256=CF52111C6CB1F5D2DAA9F0A50F93FE44FBE9E4D953FB57F5769FD6DD38FCB1FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:33.040{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6481B3468E20498EFC9FAA16EA5D24,SHA256=55B4549E7C24D2E1E7579D83E61D076D04D4E6F2CF7E6DA7B896E42DEE9B8760,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.692{30B46F62-5AC6-6352-6B03-000000008B02}74046372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.697{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57134-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.697{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57134-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78138A9F894276075F89F6FFB4540E20,SHA256=6D286F42C736463B18424353291BAF862E6F7148F5CA8AEDD261E1D312063077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:34.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4754114D2B35C6DB34A9DE02C4B9FD,SHA256=7A953C4F5924D7CFD7F17F34B6DEDEF2FCE25E199F6C54F4AADF65B9DCBC5452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.747{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.743{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.743{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.409{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228615DBD0A81DE3DEFD89508D56A033,SHA256=D59A5F03421F3248D83B8DD0059B164FEB536D0FAF8E1BF35EC496053F6EB844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:35.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5E9CBA8274BC2A40C5A9FBF254EA86,SHA256=CA6BB25021063EB0B6BCAFE2955CAEA2EBC825B60E9431F744A371F29212AC4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.346{30B46F62-5AC7-6352-6C03-000000008B02}41924776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:36.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03773FF60068C614DD66241D4725A01A,SHA256=0D3B76A8ECCEC8B8F2D0E8A8EB8BB3A0CA4BCDB84B1C76CEFB285DE1E5FD63DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:36.865{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE03426A2F5716A45C5F1B7D60B7231,SHA256=72AA2BC477092CE8F079B179DF05F3E3BB075A64A9211BC71A3ABCD140B033F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:36.479{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F15E6D5064D968C68513355CFE7F4,SHA256=EA5DF6B177CD6664553E91CE1082C3D02F5548A15A5E820B8015159982D38E48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:33.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50612-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:37.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B79E06FF75C7332ED37B7160C3F7F59,SHA256=7C6581A05D4FFB72924A6CDC923C77F59E194E0EEA21B723AB7378D5E0DB0398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:37.513{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE75E32545E94EB7A4483F91A7F727D,SHA256=5A2B1FBC264D755DA52070E5AB123D649EABD02CDE2D935F10FB9B05B4ED0788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:38.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6FAA1E032B74844751611938BF862F,SHA256=22C220FFA6C2F8BCB949A01635DC4952EDB2CC49B0BABF662D073ACF6BECC424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:38.550{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B524DF956B2DC5818A4F6D770D4F6E,SHA256=F1E966BF9B5D0D9B4C1E38E3198969FE103247D317EECD2D54C8FB530B71D382,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.480{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57135-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:39.575{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FE9CD0280BCD37F543A671C8DCF686,SHA256=C2DF13E546BB6A1BB121248B2ADBD653D205DC15882B46EBF756A21A91BD2CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:39.601{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CADF9CC5CAE2232EECA030E3751053,SHA256=1E1BDCE4809F0A71E9C990608AF7DAB64A5C921FEE42654BF846C482541676B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:40.674{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68A51B90803EB5BA98563F046878344,SHA256=3C310A5880FF564B553162E5803528CB26038439ADC968FC1EADFC02B70AB7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:40.672{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4F23E654D5681AFBF305630725F359,SHA256=F9C1CAB0A46742D821790DC687C6C636732FBBC98A79F9B07A067DB569F663ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:41.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2B1589FAD4E5CE862B602EF505B5E6,SHA256=375AFE2887C991B778BC0846E25B8F1DAC5BC96C7D4E631388FB8F4905B86A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:41.721{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECBD782ED18DAA72BFA3E6613D1564F,SHA256=E3D20EEC5281785DF1678C9E91D94F67ADFBBDE57EE805675B512E4CB320C355,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:39.405{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50613-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:42.865{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CFEA7C09D2D9E2AE415B84597F6705,SHA256=B946D1997E5560528BF87C04A9D597876FF530A4209C07325B817F9EF6E91E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:42.777{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2F8F731317EA990CE26F9B4BFE371D,SHA256=2B69412A29F2640A74190AB9E10CFD7D2AB3AF9B42D8B2216D7449B484CE9AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:40.492{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57136-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:43.957{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D14FEC679E0B3EED30893B8F3BDE2C,SHA256=D42E531D0CA51A4C0AEF84CE3C358FF487BCD21CA2083B91C4011B301F1A1B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.996{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.987{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.971{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.953{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.944{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.918{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.905{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.897{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.888{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.878{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000289999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.828{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000289998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA505D95A8548A58D08E9319BFB2C98A,SHA256=D6CFA28B806CA8F3B4994C38002D7C988F7581BECF3C415D09557F71A630C02B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.824{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC20E6D669991D330DAD2A1522178DC0,SHA256=71922CBE183900DD528ADDE980F1FB6D035F67F94EF99A3F110E64C4C66EABBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.665{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.656{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.068{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.016{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.013{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.009{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.007{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:45.882{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833143707032A2AD1BB6474AF4EB34B,SHA256=BEC0B2798A52BB277603571CCAE07186B80E96B5C106943C4A0E0AF6CFCDBD9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.702{EFF5EEA8-5AD1-6352-B802-000000008C02}3632612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EB0D69D2FA9C0C14A45571398EC980E6,SHA256=C24C5F87EFA667939E0A020852B8CF073D3B4555A5ED745FFADEE72A1469DED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.500{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.045{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10589908C2F3E283E014C5F56C31D502,SHA256=EE6D64E0D7AB074DAC244AE5CCB06DB8F247B0F7974889F864A32251ECE65870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.801{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.667{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96FC0DC7D44825EFA89E71A1051C187,SHA256=3DB1BBD45D24C42C5AD0512512B7512C4AEBC9C7DEC81A87DCD9EACF3C6D3450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:44.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50614-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.391{EFF5EEA8-5AD2-6352-B902-000000008C02}36361788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.172{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.125{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28B8D686BEDD9DFE08D8A3FD0EE6F7F,SHA256=9F7552DCBA0F396F3EAE9CCBFF72A30E63D6805E208B51AA6984F612231AE0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.945{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B106EC6EB6C86D1767B6ADD0619F47,SHA256=9AA4654E22BFE1E5A6B95FB18DD46FE32868580DABCF26854DF182D0B3EE2178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.700{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.699{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.698{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000199571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.632{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.431{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2B970916A881E308E32399797E1005,SHA256=7B52B915D1C43D27FE3B850F90AECC0A5E9707A6DC2F2E9EE3A577EF86734921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:45.537{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57137-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.422{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB000B0211F486496962B938731E6C7,SHA256=0BE0DD9563D1F46C4ED6CDD5387E6A402DA020AA3B28CAABB810DE2EEA07A8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.406{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.405{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.403{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.385{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.383{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.380{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.377{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.375{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.370{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.369{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.367{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.362{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.359{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.354{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.339{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.316{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.304{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.300{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.297{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.284{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.272{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.246{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.241{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.232{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.227{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.224{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.219{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.218{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.216{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.215{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000199599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.850{EFF5EEA8-5AD4-6352-BD02-000000008C02}33923584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.685{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.681{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFFCF5C80B52E92A06047A5E309000F,SHA256=76F7582C603E24A5CCE4AA16A7466F27776BFD98A705DF0BF9949A0724E1067E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:48.015{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA1529A21FD15C1D51B0F603559322,SHA256=BF570112035F7C93A0AC10555CC73E00E6EC42526B8A032255723D5FCE58CD19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.049{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.829{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060E1DEC15F7AD1D7B50A3F41411DABD,SHA256=DF5B9098D5327C1282FFDF6FF05E7E59303C10B70F1A9D90F952613C8917F9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.713{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B5D646B2B4850D5C502FB90FC858EA50,SHA256=235252930BEBE481C94EC5C0BDE96CEC51D4A5BD50A5A5A111281806E9BE78D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:49.086{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA18E374B1B1656A2A56BD89C947FFE3,SHA256=EEF697215CADC0785310F82D1E589415AEB4EFC6EE2862AEC06C27401F48E583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.227{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:50.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E73B9AFDB23A95C0A8EEE935C7F868,SHA256=8836DCB351928296C3BD72A16CD599561C8F21A1943487DEBF76F24FDCE96E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:50.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255EB651B08F374C5C73FFEA649D8557,SHA256=22BC7639BA9F433D26AB4ABEE5F9E8CAFFC7CB81B1019D29FD114B112F2D3B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000199637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.900{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD7478351FB4FFE657AE563545F832C,SHA256=9EEA588A82203B8A4A4EB08874A0DBB6F359FE1EEFE6DE8F99103B3D1059BF1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.865{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000290096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:51.248{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B40D1637A30ED316821B0A69D424B61,SHA256=50B24D1FE941E54623D206742B031CDC08595C074D0EA692838D1B1E134F6442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.797{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.793{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.779{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.772{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.765{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.759{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 354300x8000000000000000199616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.535{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50615-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:52.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76033B2A1646A3111206DF167E6469DD,SHA256=C1AC48B10B0E20C04E65675470D8CB7C6D553DB7CE302BBAB6A7D4CC6F97C55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:52.349{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B887ADCC1778CE3BF794373A90F2F80B,SHA256=CC17326C179AE1FFD4278FCC655580A9137F366C8BEEC39B56AFD05E257270CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:53.989{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE47E30DE15730A9AD983D0D4E99650E,SHA256=4C2E4E60F88A0C9F8920D6662C3EA206620B334604D43E2E51752F17A040D6A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:51.459{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57138-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:53.426{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3893BD9729DBD0BE73978E398E93B63,SHA256=9D6232F47BC85D2433594C2E79EDDFD3405E2B0C73A6C381D3B30477CB57DA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:54.507{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89456026781FD7E1FE8A0FEA7C1B496,SHA256=52D29F92201622F156D3C2486A67D385A42D2D79876F26C4635C7D98E88E4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:55.572{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0BA724D9960E5D498A40254AADD23F,SHA256=6C4D36F539F444EF0C1D6D87FECCD1188A4340CA46E7505AB3469F8297B3678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:55.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82237A4A37011B356761EC28A6856D8B,SHA256=EDA206D716905223C61B89E8CA93BEFEC823A31CC45859320D4B7CB0FCCBB745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:56.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D21DC65555627CA00C02EFA5698C89B,SHA256=65E874FD9D02B75C4DCBD91CFF9084C745665521DECFCD2116D4910B2B4AD196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:56.168{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20ED81BF8534E964992C7A950E254B78,SHA256=74C6FF696C8D85107DFE877270EE456468A49049EACB15CC94F386BFB61B26A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:57.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED12F155CD2A246E786355E829B2104D,SHA256=E21EAF749C2DB235A69270F15CD5283649B0AC9D9222A5829847ACCAFB2F1F55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:55.383{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50616-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:57.263{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AF5AB3632571EA77C5C63436C10BA9,SHA256=FD09EFF7B18A14DA023772A1F91AA6F63AADCDBEAAA93509A484525C9DD903CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:58.830{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56F85A6BD3D128864E53D127C985DC2,SHA256=9A0AA15A1DD7EF42E3041CF91565A657A29F3FD1A98EC896FA784EDB3B4DB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:58.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70569A4272754FB3BC14715F0F2BE95D,SHA256=554CC59B0AC3338845CB6625F24D98B82427AA03455A49F31D542C4444393866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:59.901{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5DD98C80A590C64ED5A9DB02489535,SHA256=EE3705AD101284582C2EFC80BB1C20E30B9C1C022DFE77CB283FA1AD63428AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:59.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6574D41DB32B2DD78FB8C7B66934786B,SHA256=C03E91EFEC6765D3F429E0D7E60E77365219CA76A441B8297C0C936002294780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:57.417{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57139-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:00.964{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4325F024E6000BD2BE2C98721F3AC6,SHA256=73572E88CDA53C7A892F5B730C2CAC6BC8691F83F3024AFD1F927B5FD3C27CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:00.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F54341D77AE86947F5EA6EF2E27D03,SHA256=1EFDE9972044871ED286217AAC28788972A55E52E3B1C9D9078875F994AA6D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:01.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B5CAF529C7083034AB382E9DCAA255,SHA256=0F10801972FF477764E4AF7E8C58E2AD71195DC24B606015C82B75BA56DFF498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:01.689{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=160C7C3981A2D1C7FC7C16A358352BD1,SHA256=D9462CA47E0BFC50846C675EE0A719AFA92BACB5A5FDE74B629A441D7AA973DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:02.737{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE1A22F1B57C562BE54D13FFDB99D99,SHA256=CA872D992506525D07DA95585C20E71C7D904A31371304FB359A3F6DE01B51C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:02.009{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776D4255860308E9354A4A44C0BD654,SHA256=67A69AA779FAFEEB1D3E89D10F4B0FAFBD84B0A659B93F741A28C8126DC2A264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:03.835{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FC682BC9C415C4BDBC5586B59F260A,SHA256=AB3C1850C1957F407D599482B2C3E3AE499437A0861D71F76A8031E3F80F8633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.992{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.967{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0C22F219713CFDDC6C32C83D02546858,SHA256=CC25869174ADB795759BE67E3CAB8C45865C0ACB06A17206078E76DA479DED8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.935{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.920{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.912{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.898{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.881{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.829{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.825{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.056{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA0052740DAA94C9FDF6545E6FCDC30,SHA256=BC8566B6A0F0D1C2C2CFAEC459E4BF05A0C1F08602E6FB6A9EB3FC803D0C35A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:03.665{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-076MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:00.498{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50617-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.939{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600A8F20FD5F3D24E7CE8CA4EFA43FC9,SHA256=DDFCF915154E879989E058D81E106C0AE778A3A05875E29C08B4CDA4F7B1E7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:02.466{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57140-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.724{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.717{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.131{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FDE9519DBA6EBCEADADD81763B364A,SHA256=2B69E485891E7013035B64FF9DB9E554F17A5F793CD588991CFF78BCFA3155CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.109{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.101{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.084{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.072{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.061{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.057{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.845{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7795FCF07155B1E22E3854795C1574A,SHA256=8A1EF3EB2FD17462D4DE38EF4E5164539B20ABF92DDE66480A51B84857EC3B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.673{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.046{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.031{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:05.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9521FDBD8781A74FA35C42503C337735,SHA256=13D242EB516809A632F306273F4D36C60916F980280E3CFF1CEF4C64C5A8511D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.764{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.763{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.761{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.229{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1AFB0B3F0345FC9C9BD95D7DDF9D95,SHA256=4B480BCB03E37CFBFC537A726C25A348FA3A2B868DF217F9A085630D13249179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:06.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2DED1FCBE22F52C1BCB7929C7CFC32,SHA256=95E9139D5FAD37262BB2C5D00899DE96388DCC8EA875E4593F4A124C6C3766A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:07.111{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49732A14741700DE2F64C32D23E9A3D,SHA256=AB0480AE1A2EFB137EAE6072B2509DA7DFEE74C8A0793563D38453125BD647AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.545{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.545{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.541{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.513{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.508{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.504{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.498{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.494{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.485{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.484{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.480{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.477{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.471{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.465{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.449{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.407{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.392{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.390{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.387{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.363{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.349{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.312{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.306{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.297{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.290{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.289{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.286{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.282{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.282{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.280{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBD8C8FFA6CDF0102D90F3A1E36837D,SHA256=29104CFCEA471F2A600579373F63283E24931FDE041AE77BD6E6B8D437F1EC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.279{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.278{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:08.211{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8AABBAA0EC5E34A4E0F5976D36C0B1,SHA256=D6B4CB5270DD1FA93F2322E15E375635A989E250FDCDAA3137419A42CDF4E9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:08.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282D9498B947145D7A1EF3FBD85229B1,SHA256=EB02603ED45F633B883BA395AC89C13D2CE9CCF20DD7E88E6048D0C49FB4B2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:09.296{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4422F276A5F4AE59E24CB3FF5CA7CD87,SHA256=DB1FA88CD8794090EC0C64BE157FCE275526EFBD10537DF08893355D6111BF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.541{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57141-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:09.386{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FEA1FB58F2ABB224B25CA8A43EEFA2,SHA256=D0FF4D9A1FAE0081B27047FB0F123FDADE0939B4BF35AA7D6D867EC6F6DCEB91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:06.485{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50618-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:10.382{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA2177E71259C38675E6050F8622898,SHA256=2823AC52FA546892AB5C0100FF2E247AE4E0694DD1B1E6147B1D99B4F2759BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:10.471{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C940E438F38B2D7EF40A87543BA9ABE,SHA256=2FE8EFC6FA09CCA2EA7EC0FA69525803AA7B7A775A0D19BEABD62E2CAF1947EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.880{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.872{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.853{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.846{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.828{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.807{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.787{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.468{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D2C137296579D5F8967736A4DF57ED,SHA256=929360162160C8526B1A33908CEF5850C097B3EF1E645D39C0DD71717EBAA9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:11.573{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D680EEDA809F8AAA620D11582644774F,SHA256=3D94A66C1C7E24F0931D21841B7EC25D03FBA1B8B5C8E515F78D13ECAFC4BFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:12.993{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062EDE4967A3DBD9E09EC7A11C546D26,SHA256=511C37FBFA8E554AC5942737947744A3F21F31F5DDD23FC93AB2B0B99EB1A0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:12.659{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF5E7DC9C9866582CADC8B3924AF76E,SHA256=6726D808ED7C619EE3152E4196B00BF8FF55FBFBE600218C5FBB77024D2D3E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:13.730{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECA495490B68FB61034C46218E563BF,SHA256=FF853D1A3B9ED4C0015EE635E6F385C61F65A1C8FBD8519961C161705F0A98F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:14.777{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE15E6EADEA8EAE8E5F54742DE0E47,SHA256=C9598BA6CBF6AFF1552A75DA32FD1865BB8E78951A257D335AF4A292B2999A25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DD2FF77AD92DF83CCE9F18A1FB3341,SHA256=C4491C5216D3305653F7A9AB62533215ED8713158258F82DEAC2DC5E1422612C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.933{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4899e0.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:13.602{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57142-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.833{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24024B8CD6D9B61BE3914183FA46657,SHA256=296F45A5EC3D2E90BA459845505FFA78A0E5BA2084F788616B0328AC8F6859B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:12.459{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50619-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:15.189{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7136012738FC7086A855CEA3D4EF9CC6,SHA256=45420B60A1BB8F571B46D2FDE7800E2F3CD62B4C3E2E4D4DFCF3AD9E89A48A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.696{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-076MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:16.898{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF581F3605EF747C3B94220D66C7F0C,SHA256=77FD53C240332E55BCF582134A0F275193F11E26C7A0352372EF4A16229155C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:16.285{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16700D66920A02D654F19B5B015256C4,SHA256=2F7F4F25C96439A78F4EFCE011A73AEB4A2D908CD92650C95711C1C32A3A7290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:16.697{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:17.991{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFB99D55EAF1091023ECE5AC2EA4E66,SHA256=2CDEC4E89820AA651A813A07E010D16B8F924861E77189D158C2CD3EBFFEF6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:17.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012C605DA0BF9297C940FA88CF526016,SHA256=B3E476E29952A10E6E0A1EB48CBEB2159CCC82A0AAB0C96E6E703B9A1B3FA54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:18.472{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EB699756639D25BA8C6D7EAD13470A,SHA256=5487A69AD8B79CA4CE2FCAAC254C2C9E1001568F77BAE82DA1FAF7B944AD1C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:19.879{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4FBC9174362A6DA56D5ACE6839BC0560,SHA256=0B02786142602133CF69EDDF26C6D8D1DDC20CB52C013D72CF9B7D24186FB930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:19.583{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575B368856FBB36ABECEED26E4794914,SHA256=9BC5900AF93F9E8A1537BAFB3C179DC566BAD4C2624B84489EC48FBA527DCCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:19.018{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1C381BFB58E04DF714E5E70A52A381,SHA256=566C49560B805F101C8BCC83E89A9670852D510753C83B39249DDB9C038770B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:20.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F50C87D3BCB7F75BEEF861553B3BB4,SHA256=1996619558F3795CDEEEE0E46007DF1BB23B560FAAF3723E70AEFE4EE7ABEA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:20.083{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7FEAD6BDD7160A2B0599CAED118A0,SHA256=805881AC3BCD35091B6C6C6A00319BDF35286988EA676976DD088E419F96F954,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:18.425{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50620-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:21.758{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1D2D625B7A96175DEAA25B1E2972D7,SHA256=8577F94714B9C6D7BCCDFEE3863FE05BEB1284A2675C1E1713980939BC99B8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:19.559{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57143-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:21.140{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9401DDA792906B025FB3AF8F6FBB1,SHA256=3610B276597156CEF611CC60E856E6AC8658242E52F2A59CF5BAFA53EF6E4E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:22.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E9BEFF58DADB6A15EC1221FF6C18E6,SHA256=97FAF2D05D582538BFF320DFB2FE572591087F69192D4AFA83400DD4361BE9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:22.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E743E98144337AF8F52372FE3E7861,SHA256=AE58FA118AA47F76D3AD7EB6761947D5924807B3D61BA4690F7C5507DB829AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:23.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9E88A7A44F1EB928C679DC261039A1,SHA256=19801B81469435BA8FD800516BB074E81179520605BDEAA561257BF4657B0879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.976{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.969{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.948{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.938{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.932{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.922{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.915{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.855{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.848{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.302{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A0DD9966D65096BB5A581642B7F9F9,SHA256=E54545B5DA637D73055864D2DB6F9601009B48F3AB9EF497CABD62121CEB9F25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.448{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.445{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.347{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465DE024C0020A30C4C970CAB3D8D157,SHA256=7A172D8503659D524CECB6EDF1EBCF0BA3925532CC843377026BC41BE4E8DC19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.041{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.034{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.027{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.022{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.016{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.014{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.008{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.004{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:25.474{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6127F2F6D30ABC98197F8BBB0C6D513,SHA256=9987C411DA7EE491FD27984B450A4BDF8FFEE019A9602E65910287F6BC95C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:25.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634DC04D59BA72FCE5ED27CEBE6789FE,SHA256=BB120171B0592BFD7620C2122EE470A4F56D1D8D69A5E944FC3CE799921A66AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.995{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.994{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.524{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF834FAC5388E34A81A805E6DE5A6F5,SHA256=B543AAE96B2B9032074E25AAE1A8F9E68AD7FBB03A1A3A80C6D0115EF5943532,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:24.341{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50621-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:26.122{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE101618A2112A2EDE0F2472EE374B,SHA256=578C2669046F1FB8B1A85003ADAF886F501BA13C8BF6D26DFA78734D05CE4FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.477{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.476{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.474{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.309{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.946{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5006DBCA1952E68BD481A17B7E5592FE,SHA256=8A77976635A7959CBB2191C12B722CFE467DD6487F21CD313D09C3BB1C090556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000290261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF48c7d6.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:27.217{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741D2E6739711E211D0EBB7197235826,SHA256=2729F5D716A99EE53F087923AF0200E51041CD554FA576A6BC32BC45F966892E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.181{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.180{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.178{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.162{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.159{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.157{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.154{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.151{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.147{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.146{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.143{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.136{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.133{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.131{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.094{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.013{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.002{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000290267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:25.565{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57144-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530ED2BC82928D2BEE89F5317D03F7CE,SHA256=C3EDAA43E0CB1CEF35F7AF9EC76C64A515C335AA26C337636E2AA105D4E394A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:28.318{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02D87D6568832DA1EF5511ABD806040,SHA256=B7843FC78FC58203FB82407A8AD7E85B6D1E246AF36985A86554DBEC79173D6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.677{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.677{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.763{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.403{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF4AAF849FA3D0B7750E487B67ECADD,SHA256=E80F7278FDC6ABC446E47A8AE561B384F68A320C8E057D61A640D0AEB53E9B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.930{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.809{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93951E68BB005CA4D6A448238442C1B,SHA256=82223B6448694E70221102E30EEAA7DDA02B395DA93468467CA6928C12930DB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.748{30B46F62-5AFD-6352-6E03-000000008B02}14681016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.579{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.864{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47A3761308386230FD42714AC5AD2C4,SHA256=9A2EACCE5EC5C84E03594BE31DAA6AF46905418B7E66AC3BA690632EEFB32288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.780{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:30.490{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E182F4F837A272A652DFCA894996E9C,SHA256=9C65F9752C0719A0E5CF91B573E80137F4CD665569DAA56657DFE1FC952B9552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B78867E6B98D3A184D4505F1BDB35794,SHA256=7F6A68796C5A061FFE1CF5C262ECF254F5235973113ED4AF47AAD2721E43D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.213{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D235D0D643AD9483D9D47F0434CA5EC0,SHA256=08557D552DD584DC1CB579600E9ED01F1A0F2CDA4033969ADA67F4984B3EB9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.184{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000290300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.252{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57145-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000290299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB943F05DFA1B6B622E89CDCFE92C07,SHA256=82C305180F8D32A69A0D94900747FCC9AD7F28E9E0D91A8F682D6363DAF20A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.871{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.807{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.779{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.772{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 354300x8000000000000000199728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.465{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50623-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000199727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.058{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50622-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000199726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.569{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC41E74CD4A0BC7FC032DF165FF02BB,SHA256=3C07FC54DDEABCFB9607585FA1A189BB22077CC9D4D8FF3FE7D2BF463CABCC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.150{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BADD34A3BFA27BB4197BE7D33D006D49,SHA256=E1F692A070B70DAE676146825F4ED992F38F0FFAD83BB26B715F9FACEFEFDB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:32.711{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D026D074C1DB693E63843972A95B3861,SHA256=93063F6711D921153E012A37F9B2E92D532A3DF0CB39972F7C20ADD21028F29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:32.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813B0420B00BB6D664954D96CD0F059C,SHA256=9C9835488162210DD583B0A36DF35551C2A44C6F4ED77246B24E3597566DA920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:33.988{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAACBDCA77BE9CC9EAC6D0713A9C3BB4,SHA256=03F869C8D93216916115A2F623DA306CC91F1CEC3FD13FF680D188AA8F62D5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.985{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E84500147BFAA05EEF9A7A38AC8DFC,SHA256=8B215F27F3B741419EBAB0C1FAECD9BDE42C4B8E50B9F6F4BE8EE25B194A044F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.701{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57147-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.701{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57147-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.535{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57146-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.484{30B46F62-5B01-6352-7103-000000008B02}69007912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.285{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE61073412347749B383B1149357900,SHA256=CE8D3B22FB9ECE8C77DD05BB78631FAD6939F125AB171B4620A0E693526E057E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.670{30B46F62-5B02-6352-7203-000000008B02}55285840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-5B02-6352-7203-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.971{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7E4EF0B3F8FB8606DE566C10AF6B4B,SHA256=6CC5792061EC007637F25A442D25BE8C04798B2D2FC0B7F12059DBF5287CD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:35.090{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EA43A59EF5927752BEA1F3B2A34B52,SHA256=1945D95657563CE07E6FE26067250C716FCE45BC6600FE8C28062D0950B2D019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.750{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.349{30B46F62-5B03-6352-7303-000000008B02}47444716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.150{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:36.192{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C39398C97C22B415B6381ABF9D46FF7,SHA256=31F947B4B63366F006339AD1A902C5E5131E2B64C1F91ABDDAAF73514638E97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:36.850{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFC45A48E12C07D4A3C4D8C45F68AB6,SHA256=DEDA82CF0916C7B1EE9EEA17CCD99352B274C8C715280BD3C2E8806911475E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:35.361{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50624-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:37.383{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF4A36D7BE0344583931C559AA1162A,SHA256=16558FD63B5057773391DF32614A4A2D66E9E1F17BD0539BFBDBEE96E8C96E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:37.136{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CADEF9EE8551A39F88A70D203A7621,SHA256=720D999CCCFE3503439EA26571405228D8F4DDA34E6C262961F23804CC07A7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:38.484{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7096F038FEF81FC51C6564F2E6379DD,SHA256=530EC7FB2C79246FB6F3AB79DF82B14E0F7811FB8E554AAA7FFFBC4A1055CAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:38.221{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316CFEB9D9395B95F8759D9D7913F7F1,SHA256=3F77E56FECFA3A0A0C9B645985E644BACBF5E826DD6FCF8D17DA2384BC81AD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:39.586{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E86A8E880F606A6B0994083349EF0DD,SHA256=94BB9C35B2B12701FA4DF1C8050BC3235F3FB8D99F8F088ADF36C8962F42BF87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:37.394{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57148-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:39.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC795A3D98FDB75FD2F6D2A5B630A95,SHA256=7157436F0018ABBA304028B70DEAA2B51DAD612678033B7E5D8106D5B0F5378A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:40.678{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909966247EED34C54825CC4EFCE0B1F6,SHA256=07ED8D05EEC0F5DD520DABCD10C64206BAA379B9FD8536209E77B5C13010C587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:40.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFDF31CBABA5233E698B57036889D35,SHA256=3EF7F379192871AA252AB42E1D2166E6F813CB3AF145833A12E5FA5AA5769242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:41.764{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3DCC2A8AEB3250FC9AC21D8D3703C2,SHA256=C01E8C22632420806B6912E85D52BB3872604274BD990013CBD2AEC949271294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:41.525{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E3ADE3CB0A04D3C0124C3E839A442,SHA256=3E24020D39B5796A5FCC9375D2E64E8E9FF050C27ECD42DF7B059756072A6643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:42.884{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AAA31865C2BF41247130E4236F3880,SHA256=11A425DC5CD0DDC0E067C7A7F835D6F27D3B74B4655AD4850AED31D14925FB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:42.575{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA5C0F29FBC31B103F0BD03560B777,SHA256=913FABB9755673C58F3A20543431388724B10CEA5359794B9E1D405846563CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:43.985{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C32E584AD75C89C9AAC636D312C03F,SHA256=B972BF129D3F75E779D18EFBBF0AF64A0DB34CB027465D294A7FA1388897DD90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.986{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.952{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.939{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.932{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.923{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.906{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.840{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.628{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FE966F9B3D0061C7C2D34590D37035,SHA256=7892661B9C74D7D9DAC8BF84469E632A76CBFF207803AF7003CEBB7C0648A8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:40.472{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50625-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.687{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F463E653AD67879A54E3B330799C58,SHA256=C1E65373DA262C8034A9E27A1FD5D884937B61525817522980A4A8676E3220B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.536{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.531{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.134{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.125{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.116{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.074{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.050{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.008{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:45.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C58F474B784C47F1E7F6BDFE55FE4A,SHA256=31255929376D4F9B8E9E6868EC289515EF685D3FB0DA3CB04821D0F9EAA0AA44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.667{EFF5EEA8-5B0D-6352-BF02-000000008C02}33123256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.496{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.073{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8869AEC3A18F16D49B9A8D334453E9,SHA256=5559B8C6CDCE8BEDB78D1D101349F2BD3F4460AD768DA1A2EF5F0CC15953673D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:42.401{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57149-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.831{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659890ADDAC99E51DF756220306986BA,SHA256=314A24A0AF4C358FA136F216FB16F15E8A9516999FB8F5A05832197F06EF642C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6902CB6766C058938E8AE782B6D74B,SHA256=4F73E5C6A46C2AF690F35D145D16AF00CAD238E22C3CF3BDBE9D7AFDDA201BC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.307{EFF5EEA8-5B0E-6352-C002-000000008C02}984288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0BF9D3A2C8B81ADF969B0CE0FBE02A,SHA256=92925AE600AF3C16ED1986B22AE81A7438D44DA6A181721D9399BF6B644E6331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.167{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.551{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.550{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.547{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.011{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E783450E894FD318794F8672C91EE07F,SHA256=F5C6413B0AC7B607AFA8C82504B6D02FEB1A662CF042686F054598BEE89507F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.415{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FDC3BB1E920228D70C2908A794E272,SHA256=FB0173EFBD2EE0C443141696CA20F0BB4E107AA89A3DF10F358231E8CD02D85C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.238{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.238{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.236{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.223{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.220{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.218{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.215{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.212{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.207{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.206{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.205{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.202{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.198{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.196{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.188{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.166{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.159{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.139{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.129{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.099{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.091{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.075{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.067{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.065{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000199865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.441{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50626-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.824{EFF5EEA8-5B10-6352-C402-000000008C02}9363952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.664{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B784A94CD5C6CC86FDC3B86759F7E9,SHA256=7FA71AAEA991619427C422FA8B24005A864DBBD15098AE456B9DAF69C8C3567E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:48.403{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90819E1CDFB401F7B9C8BC2BE61BBAC,SHA256=F3230EED8646C6E2FBF69BB264FB5221C0A9D769692746C29175FE6BC5FAD5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.194{EFF5EEA8-5B10-6352-C302-000000008C02}33081524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.037{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C21D020A7D4636F9F28FA02499D68B,SHA256=5293E2BB82CCBED5AF4B0CDE582BD994B41B838ABAC7AFCA51385ADBA775EE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:49.484{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF372D59B3559A9A6CC791FEBE3ED6BD,SHA256=2DC956C9F68D7D02728AD5E780B2F0BAAC67544A71BA09A99C8398BE6BB49E44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.253{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:50.994{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92B7D2A783C5242620DE4DEBEB6CB62,SHA256=91A67F8788F4FBD4E2EA69C1B2FF61720207EEC7A521EB2966EEC5E981D5F7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:50.537{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6D521D2D94841A221B2C19BCAF56D4,SHA256=75587A218068382FA5239FC32BCC63CF44AC41798837C92FAA7D125B0DCD3194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:50.005{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7294570BF72ABC280F2C9B4E6CD98A9C,SHA256=A6E2122D12B2A70D6981D9FC3435D49EB9C709C20D89263388706D245E723DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:51.607{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066C5B6580476DAD15F4F2BDF1BE4A0B,SHA256=797F41E6C2B0EA1E530315D885347EB13F0E863F622268FD91A743BE2ED30430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.799{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.786{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.778{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.771{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.753{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000290418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:48.427{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57150-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:52.670{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD7E51423F5A89B44C6FC5D3FFC0085,SHA256=666A52BB1F158A0EF9B2F529FAE2F2BFF60FCD60A785E8D9308537058F7769A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:52.210{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB052BA823B1091B4A1BEC01B430753,SHA256=8A81E8DF50CD6C41AB4E51269DEF49A774D547A5D24422A05913D0220ECF6FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:53.741{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518F39295E8987299666646226A5882B,SHA256=97E41FEF7F4464416665B5138D2F986310942C14D74CE9B7C0E2D53B220F6FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:53.294{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEB7499D6F173A997A419A5B947A51B,SHA256=BE90DC8DD8064E054647EB0148CCED5F28A2095BB642D5CA4C246343983B2949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:54.812{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3C66360A68CBA399F19AC861F517EA,SHA256=31F7A3C47C88D5B44BBCD5EE73357FC02FD67DFECF150328B4CFB373F2E427EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:52.396{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50627-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:54.386{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73079B2A37960C6C3AC83F256218C571,SHA256=678ACD8A78F598AF592006243AEA3913032058D592147168B4A0EFD21ED58F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:55.885{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D1FCF7C2F49A213F40ECC9014551E0,SHA256=A7FFD51003AF05ECB7D10379EBDE1622972BBCD407C0FC71A11127F75483E5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:55.485{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7239F2A8257C3A906303D1E87586FFA4,SHA256=7F102349E63FA590CFA7A6CFC726EAB5739490B50AA821D2709946B4E08E7B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:56.572{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DAFE071A63E048DF8D39C3F8C35F84,SHA256=FFEDDEBAB4BA9B46C865DF34D4EDB5A812609BF6D686B6D8CC0B0BB2CA153820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:57.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E56F3E69736BF6299E57D86ADC200C,SHA256=814A199CE8C450A722F2C1885BC9D9200362AED6A661E98624FE07A15EDB512A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:54.456{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57151-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:57.046{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41928D438BFD06B732B9BEA72C11A0D,SHA256=8628B0FA7628A71605761DAAA6C4989116F0DE93DD5B08759D0C546AF0D48BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:58.786{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23145D37A1C465B91F3644612F47EA59,SHA256=F1583D015E4397C8A7AC4374F1803F44056E5CD1F89A1FE4062E7A5201E96059,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000290429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:40:58.879 23542300x8000000000000000290428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000290427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:40:58.879 23542300x8000000000000000290426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.149{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E5574616562ECA1C2810661C64B089,SHA256=EE41E3BFE882FA1A3A8EF5E3415FD187D39DBE4F6C0C0BE635FE6DEC92B33F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:59.884{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEC7CEC5FFE7D206096867580820C80,SHA256=88143500DAEA6E06794853CFC4415F9A32BAC9303D1727264794C67805AF4DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:59.198{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF8AB755BCECB856DC5CBF2C230CE2F,SHA256=31E925193C75D013FCE8F6A1BF6BC644B6EDB971FA35D8CA47585946786E4DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:00.984{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAE52104662F00822094799B13BA9F7,SHA256=131A570CB6AD76096DEBCB8DC0652A47AB0C1D3E381B378BB0DE36C27C184037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:00.236{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A9544E78026A384DC5CDD5E58BF774,SHA256=4F87B19B4FB075395F3587AFF0F2082B1CBCACE223674201EA9C3485D8FBE150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:57.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50628-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.404{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78F18A652E68FB6E46B044A90C9647D1,SHA256=A0296C06E5CDD053863DA6E13ED55E32D9768A7517CF2A86F6A93FF33943D1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400527DD7BE3A6A01B072EA10EA53DB6,SHA256=3F71D9BE9462A09A355C4FCD97F6D26E1CAA20419E91BC28D0A20ED58EBFA139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.002{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=7F989A5C879F22EBAB9A504A81C8ABF3,SHA256=C98995BD05FF2B3D5E43FF3596FFC49AE9486F713CF4F24F97C680B5A100B3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:02.085{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B175CDDCCE86D35430F49F172BABE5,SHA256=035701AE6BA6896857F8144A194234267480AF5475EE2390F65A3C7CE9D8E74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:02.388{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3E21C85F6DDFF7284D3E3E2FA1DA8B,SHA256=2610A5BDE4F26928207C8E440BA6EAEA4CC0253A59172D97C6A9DBA81FB8A079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:00.428{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57152-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:03.196{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE19A71A92909C9599705B3EF516EF96,SHA256=FAB677AB6DBF47A2B03DBE5EF58AFE96C7FD1E1F10B18A502CCE9A38603CDBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.990{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.984{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.971{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.966{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=08CF443455BD2AE58B12955046DB68FD,SHA256=F6E81D84A03B9AB8F412C5307DC41EDD08100A85544AD250012B5019BC55B0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.964{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.956{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.945{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.919{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.904{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.889{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.879{30B46F62-485E-6352-1000-000000008B02}3087704C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.878{30B46F62-485E-6352-1000-000000008B02}3087704C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.871{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.864{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.826{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D11E3C969365F973F3AC7A67A2CEFD,SHA256=4999C04D2D7A9BC6C145C383AECA9401B6D1A129B3B4F2052B125FD72579544A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:04.854{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62E631BCBE8E4126C9045B3705A79D15,SHA256=35A3B23017E1F3510EC1B803223128E29A064B72DC34A14DD9F8190C263B47D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:04.285{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F680C8CF0411976CEABE0FD7732E1FE3,SHA256=4FC2A90CB2D59BFABF2EC950F3089D439A86EEB1AFE65B0D95F103261B188CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3C0AA18E1CE85D110DE6653AB81B46,SHA256=8C2D9EB2D97F9D73B9A139D6D6FF34B3C2B79CD8EAD29B562B6F8FDDF332F29A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.456{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.453{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.040{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.032{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.014{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.007{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.003{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.604{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E7ABC85B3D8135A235D720D3D0CDCF9,SHA256=D38909A03B51357A5FF4708C5718E0AF603D1A0C12A1F6ACB0681E0EB4385412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.369{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B3D52CC56F4A6D8A7FC02664913054,SHA256=F5863FD88B3069103181D0AA7338CBD85F525F8165872EF0F146020DEFBF078C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:05.566{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0640B9495D43B60D052A9C27B61824,SHA256=3228A3C4B0598FD5271962C1E464A57335F659A469D1B0072F6C19A294D29F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.185{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-077MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:03.361{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50629-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:06.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566BEC43F568B2B330D549A9EC5EBA9,SHA256=7A46C2A65B4A77E705EF118C5F9AF63D10D19113F79DE2429EF2D84CD3F7D763,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.998{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.634{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD91A655FC5B147BB4AC10B9A99D9EA,SHA256=15CC8444E3EA06E2B43E360475063C8FABEF5550DA941FBEB515EC6B5105E91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:06.188{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.483{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.482{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.480{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:07.557{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A9B338D8CAB78D8366A9EAC350C89,SHA256=1F425100FFD823AE74763A54959E8A96790326CAA91E2E847E3C03D3A50FD2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:05.439{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57153-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.186{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.185{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.182{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.160{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.152{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.147{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.143{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.141{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.134{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.124{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.114{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.080{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.049{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.013{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.008{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.006{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.003{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.001{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:08.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8464EF9166AA7B3574C7BE81CD2137,SHA256=EF918F9C2160D20C93017B4DA19C7F703798761415C61E2D5DC1FC062ADE0FE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.698{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000290504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.014{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B71B7ED4C36CA3B0A112E4375F9D3BF,SHA256=F0B7E86C824796FB095D26F25AAADA498275E19472B44170A666D06BF4B73259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:09.741{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8CB0DE3BFAC39BA20028F39C19B3A3,SHA256=F06231E06B083F98BE6A67298961770B1AF2222E92D0E2BB9D9AE5A04A50766D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:09.818{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=274AEB17F1A44CCF27946B57721CF372,SHA256=4E549AE213AF8575ACF4C9354BC3CCA77E54589AD90D4E9BBC3857F7A975687E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:09.082{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB520D1CB46AD6202B561BBEB6D3B2C5,SHA256=85E50748E621A424B0FBDE40F3E52F43D57991386FAE9478F6B07C4D4DEFA738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:10.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929BA4702C32B1D46A5A4333307F92C3,SHA256=365756CA010083EE14F28B77A980F43EB5C47D06AC6D507691583A784E805C32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:08.458{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50630-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000290510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.043{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57154-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.042{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57154-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000290508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:10.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59A3AB799F724D74A431E77FBF55226,SHA256=1E9004A26A9CE208B01F348161C7B422526C3134E454AC2B1CE7B4FB67C8CB41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.912{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9142E6FD73F7C25959FA866BF9485FA1,SHA256=104D02BCFE6E0AB530E36C5EE29C664DC14F01AB94BDA425DF7C73CAAC136858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000290512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:11.370{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=505A5A4019290E546704E38364297354,SHA256=6452499D91AFDB68D1F9D4E8B7E91282651A44344B91F2B2513B5F3F206BA8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:11.185{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C827CBBBF64E370BE83BAC76A0ABA4,SHA256=927FC44CF3D0C281EF6B783F1D3CBBFC6F993233035AF133753371F265BFEAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.809{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.787{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.780{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:12.880{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A69BC7E5CEC4ACB4353E3D99AC0E4CE,SHA256=B0F4F17F212B7CEA0FD351FAEADFEF5C5DE8A78325DB502B139C8B45453B4E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:12.202{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D4042D4B1BC8496948E091961BE3A6,SHA256=DD1CA2C3B175C1F4F80EB3E745D13E58CA9BE28845C1EE9CD583DC429A63BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:13.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05238CE95C5BD938F5DB949E8D67BD36,SHA256=2E4E261C4E0B1D360E8487ACDFBC229C5C9C9D0868DA39B0937D122AFF4FCB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:13.318{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B222F55853BC76C21823CF7019AE75,SHA256=A3F939342E1DF070170AEA18449875E30C39AA563DD79A8140337563763D9929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:10.583{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57155-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:14.442{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C623CDF20272861298C6CE7D0BD8F64,SHA256=BA3C6D4EE16F503B6396C330CD1018749DBCEB3EC86261567AFCBCE05D660FFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:15.489{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608A1EBD43E49FA14863C4E97A6388F8,SHA256=4DEF6F5AE242B9895B85F60C3A1CBF53A68F5703B782346676A04A4BAC8E57B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:15.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77D80986317A50896F96E9AEE5106C,SHA256=E68B30AAAC8CC3BD1E82E234444E8AA6B673FD092A17A29BFA7103B5C02BF3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC80B3C24F5AEE48696754C373941209,SHA256=7794A93D5FF7A860D09F81D601E2A52A38D2EACEAA0F8B2CBABA5AA2438979CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:13.488{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50631-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:16.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1F26F2EBF35A6F0199E11056C3C5B3,SHA256=F3CABD6D8F2A67DA41B734C61815A1CC032DBCE1094D577535ADAA34C45462F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2721CDA97E7FD22B35BF816C17A230,SHA256=520B420BD845648A57163A3440A4EA0BF3019D3938F30D8241F83C0E4E818764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:17.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC2F98985068DBBB1D09FE182FACE56,SHA256=FACAD64D51A5A69E61A6E83105F6A0A7D623EC8A3C0C769EF54FDDEA5DECFA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.211{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-077MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=50CC1677B446BE91DFCF246C1C970C79,SHA256=C8FAB02509FEA0BBAC7E06F1174959E72E50BF7456FCE6ACC2CBFFA8317020BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=14DA9999215888CABA59ACDA0E75D689,SHA256=23B2B9E3D1DAE57658CE6ECD208A7A64C64F80EE974843CB13CA459AF5BE9123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4E8A769132765D23D0EBAC59E3B79903,SHA256=CCBDC621194ACFFBB60F6725D5D00BF720B5406489834E8FEC3C593ED9168CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=F41898EC02BE9DC4989D325203DF90D2,SHA256=463E62030A53AC934511705945E0F9D92225C770AFB89FCA38BFCCBF9C893BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=F280EFF93833AB6651F6DFEC1A7BAF45,SHA256=42F3F1270B6B21F8F7976399E2CA8EFD0B69D50985FB41A64614BB3A3E67E9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CD3A469EFCD0D65893ABFE69D076CFEE,SHA256=CF920922CEC22C91B31A7E2417942A5E38DD2A26DCCAB613EEF78C2D729FB5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=7F2F8D8DAA51D08FE360ED8488D55785,SHA256=5FC80BD417BD4DBA8832FD25AA69BA4013A136ABBDA2D745EA00B0B408AF5062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=4FEABD410F1B44C8EA4588C7446D4B69,SHA256=1FBC5D48484F5BC007EBFA52C62F4C5A341A3A7F30D570ECB74E339C4EA0D80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=6C0DDFA4AEFE6586B8A70E9E9A109CCC,SHA256=A9CB5EBD95C2D42E45A2AFBB078C056DB73540DA54A8C18B50432EDA1708D10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=39A00A3E413D89533E22C82946A4A14D,SHA256=DA64F4F25BBD168287D1E580412CE400E1E22BF1557F3DB19F4854DD1AAEE7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=37BFB646DB8933D46F8D464EC12AD26B,SHA256=27CE000AAC32D51FC2471F36D2916A8EFA3E27F2BAAB733A320E6B619F181EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=A25936302C242A472DE7B2DB75F047DE,SHA256=5035DBBA6F06D818CB5D45DE297BB2FBB9987D4CCBA3EEF5E9E9A4E663160E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=26BDC8488FE803ACDCC9ED99FC4D41CD,SHA256=A5B0F5904B435B52A1B233BA06CFF2C35E06CC307D0E978A60016E10554C2A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=A327B128741EF8DF72F89C6BDE6C474E,SHA256=9E799BC1BA14E034760B7F1C45B8E09E9EF54759DF14DA0CDAE93A6C14D1E276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=06F39D542539522DD6A6A3892EC60429,SHA256=477E14A51C019FDAD15AC343675AD920B3E0929B6041CF3FAD506F5800E2C2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=2AA052B3155AA15A1B3FBF7646994DF7,SHA256=1B1922A3C859C691E372D28B32AB0573684B288D1DD71A6837FECE58B2B8D9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=A17FC303AAD48CAF4A5CD48A94F8C006,SHA256=8E008AC435AC6391311993417DF2E5D5E0F42E522D7BEBC9B54B7EFEAF0D9E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=FB3835C20D4A35F882CA3F0FEF00C536,SHA256=9A9E184A25A9FAAA95574D797FB6066022F030AB1F9EE57471C98FBA3409F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=E15B0CD7FAED0836D20539CD1D5E6488,SHA256=7506BFBBA096FD71F7FF868BA1B70CC618CA36D3215C4AD657493CADF070F54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=A50C75C159E273B0ABA7661DD1ADD173,SHA256=F1DE336AFE2520062F8E3226C4143C9CDCA34EF735922BC27DB58635BB2A7E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=13C5C1E4D58E3694584EC0A8BD75E70E,SHA256=B7CB2651FED74E639191F187A1B095063F9E4C25A412141311FC169E016D61E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.873{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CD3A469EFCD0D65893ABFE69D076CFEE,SHA256=CF920922CEC22C91B31A7E2417942A5E38DD2A26DCCAB613EEF78C2D729FB5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.858{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.788{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=5DC30E8FE041DB6DEB26EB7D22F93B4F,SHA256=81858EC1ED1E4FAF46BA7961C639E2121AFA1D2255E7FBA59B28D3F2061478C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.788{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.772{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4E8A769132765D23D0EBAC59E3B79903,SHA256=CCBDC621194ACFFBB60F6725D5D00BF720B5406489834E8FEC3C593ED9168CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.772{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.758{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B05ADAE6D2FDABF54341F740A64372,SHA256=545EFD227F36965DBC17465107B945AA1C35A73DDA0C8B892FB890649DBEA635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.743{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=50CC1677B446BE91DFCF246C1C970C79,SHA256=C8FAB02509FEA0BBAC7E06F1174959E72E50BF7456FCE6ACC2CBFFA8317020BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:18.330{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9313074AFB57ADC2B1A7E77A02E99DF9,SHA256=911AB77CC34BF6A0E227AB941AD3D2CC0A15341A74FD26D53F31859FCA62C14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.679{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.380{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57157-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000290524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.095{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57156-false142.250.191.234-443https 354300x8000000000000000290523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.073{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50388- 354300x8000000000000000290522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.073{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50388-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 23542300x8000000000000000290521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.210{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.428{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026F7FADA2EA5C6BF8E4767D68D8CF4F,SHA256=97841DE68EDACA34B9DA75D319097D50C5F7A366AC7863921AEBB4D2845350D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.559{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=39E363F1E60C2429BA50F0DDF8E960FE,SHA256=62D7FBCC03A06527A57349D055FB1A36029AC5246F4A62FDF03B93112AF8F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=A0B396F1DDE60BA1D353CAB446FFD1F3,SHA256=889E28D4BB09F517E2D2D50327E9D19900CA3A23CDE4FD81D7E82B726AF9066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=ABFF90A9C34FF495667A7BFB9DC790A0,SHA256=6A32B1715273C1A5472959DC55F1ABAF413A9213A4072AED9FBD9DAA39A4875B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=CF0A2BCCCE71FCE55CAABC54B9B92601,SHA256=8159527A9F7D56C7AD8154876B9E268AC9F5C2D0E8C98F71ACCAA8F7E1D7260F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=60C67F500A7B4BC576F73507EF426147,SHA256=083C83BA2B3EAE9B257D389D5F1CCD3974D679A99B9D85A37987ADE054F360B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=90F833BB4DA71BC55F77B4CD9D21C38F,SHA256=2B4933F58384497D9BD8E0067717A25F4D733356B43C471B0891F31484EC9CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=03789A3E2B579F33DC32D27804BA4D02,SHA256=DB2E80581361DF60E0A2B50B0593B209C4C3483BE5EDD04865841118F8AB0B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=863C344533E8C686C3C988DDFBDCDE5F,SHA256=0D1A965E25C8A27462A85E35C028226E673032324C8610878207619D22F3A2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=A4B619394319B31019DAA7901762B66C,SHA256=A2DBE40673D52C90B8F524738EC7439C74910A319154EA9868800F662135D097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=778D899EB7AB4A01A12BE0D714A9FD93,SHA256=CBFCAAF675E78565519E1E98B936789402518A3877054E3480342ACA743875AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.042{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=12D00371BD28B3CA9C1DD095354E85CA,SHA256=D25F66F037D19A39CAB6D6B1227BD31EC44E27D31874AD32AC041EA04E890EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.041{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=5DC30E8FE041DB6DEB26EB7D22F93B4F,SHA256=81858EC1ED1E4FAF46BA7961C639E2121AFA1D2255E7FBA59B28D3F2061478C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.040{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=27A6BBEB8626FD5A89B921A3469A3F47,SHA256=F991880A7EE8579CAA181D90F85A1B7D5B942152766BE4B2E88C8E64964F1F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.148{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=79E9A08035EFE96488EE7EC2D630754B,SHA256=83F53EAA9F81E8E4ADC6C44893146E773B226B37FDB96A6385E78B0E28785E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:20.515{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776DFDA388A8D6813B353EFDDB6BBC5,SHA256=E0498AA09E7BF89E0D6C12FFA265CF8D97CBF8EC336086E6C11C34BECDBC9904,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.568{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51250- 23542300x8000000000000000290575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:20.504{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC149A7083F7249AB196CD72AF69401B,SHA256=F1D11C20AF87443D9A1E1052A30F27B4B6F9A28AA3B5C25BB69AFAA5CE873120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:20.289{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D17C973495277FFF26EF9E7732603D4,SHA256=35325FB8574E7D188FF1AB1D404BED66D290A09B31E09FA5B430C38830FA8AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.420{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50632-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:21.599{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514320ACEBFA3D522E80AEC6C72D669,SHA256=E691B375C964413A9BD7FFE061D3523325D1D6641F11623CAE01B854C5ECC199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:21.338{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BA0674BF6D1E6C1332DFC56DE5EA75,SHA256=5E7348ADDEB114EF58D92CD2FF645609D28668E1F16F9616C07536277E159FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:22.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A595BFB2CB404521A025B8C4D271EB5F,SHA256=F666F29EF4E59BF540E0191B90DCE3E9AB9D194C92D04CAA6E9900A15E05B413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:22.461{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB60D47F581779B2E9F5348D6C1241,SHA256=4BD4DB59185E251C1AE55A36376FFEF996FAB8C7F40E257920BFBDED155B44A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:23.783{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9457A5A5ABCB51697E89E90C538864,SHA256=2D54F2EC4020E685D8D60ABAE71880011520758F063DEC20B6A18AB4E16989D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.999{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.993{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.988{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.968{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.957{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.948{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.921{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.909{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.897{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.884{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.833{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.828{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000290580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:21.605{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57158-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.475{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832D60F79A0062C54C007F33CB414EB4,SHA256=10FAF4213ED1308A304188025A987DE2545EDD0193C517A2EA165795465CD7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:24.866{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD7059EB637496A2B5363C4BFA77FFA,SHA256=16A4E3308CE587614B7D549CE6174ADEB5405F5E7D942463BF3BD484960D975C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.625{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FCB94E14617B7EC3F0400D36F07B38,SHA256=B198DB61C3E225D8DBA33844750464C29F26BA9309FDB604466D1373F81FB275,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.420{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.417{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.043{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.038{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.035{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.029{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.020{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.012{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.006{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.003{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.001{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000199983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:25.951{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94C1FC79C7592645EE94A46AED47B6,SHA256=DE30926CD1027DB4034BA36F5950FFDE59856F214DC0F03B689F1CC9B75DFA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:25.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C54472CC1BC6EF3F34501835AF40B,SHA256=2628D6A855466DBCA0701FF0B023CF99FAE9DFD01DD8EC2D92F88FA3B1DBEB3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.998{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.991{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.984{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.975{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.972{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.970{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.969{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.966{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.966{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000290615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.825{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BCC67260971662F2DCE81033BC92C5,SHA256=A9B5A490D0E4BE7F24D094DC2D2C6BDFDB17AA06C7814FF409B66CA3FA3573BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:24.491{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50633-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.445{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.444{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.441{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.306{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:27.048{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D65C2AFB20EB80935EAC2822556DB33,SHA256=D0855FB8264EEACD92B61FACFD4D1DDE3AF7CA65C01827E6A1B4BD385E149FE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.138{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.137{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.135{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.112{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.109{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.107{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.104{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.100{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.093{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.093{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.091{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.088{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.085{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.083{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.076{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.058{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.052{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.050{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.047{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.032{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.023{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000199986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:28.141{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489A4AEB69EB6E6131A4CE974B097F70,SHA256=EF1E0738AAA364657899CA55FA7CAD26EE9395B9F1703727EB78884D87331B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:28.166{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0496A38B850C4461AC7294B8A5E1FAF3,SHA256=2DF01F5DA5AF85396F74B94F5AC9299CAA20014D725AF1BB842E0F0DE96058E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.788{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.228{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEA5A2A9B5D9FFC66CFDF8E907A2D7C,SHA256=9AA9809CBCE9F2FCCCD8B4E2992B879E5E2522D3251845AFC5AB2A4A207E8B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.947{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.795{30B46F62-5B39-6352-7503-000000008B02}28326432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.596{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000290650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.540{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57159-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.295{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C97205581417FB2FDBD15C56BC49,SHA256=87FCA0EBD2DA44D4A614BE7A78708A6B2716B47B7C6A6FCFB99DDBDBC0E004B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.280{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:30.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC42E8C2D237DD4456FFCF349316115,SHA256=4B3FE2D73B8A612C34069C8F885B8D628698B3E8D7C29B0BA140FB8057F01BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.929{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.612{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E7906528823500EB8FD9BB432C2EBB,SHA256=B94787A6F89A0D11D0FD9893FF4FBDA668D5479F35CE68FCC49C8D18E7E6604F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.311{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4442A90098078AA936382E244267151C,SHA256=7D732A8210D24CD2E571EE2D3DDCB2AFD9798515014F849A928D911AB64CA8EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.113{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BBD6D76846117FF9F6F837C304192E6,SHA256=C9F4680598F2DCF2C8A90B768AE4545E6DF1EF913860E85E1F6179DADB06AA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.791{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.749{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.410{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360BC09F221F3AD73C8496BD9DE62217,SHA256=21AC060008C1938A090C9C65AFAAFC47BF455A7EE66203BDBB8B9BDDC0F8A8AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.287{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57160-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000290687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.597{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C47DCF94615DD0784D811DBECDCC75CD,SHA256=3A1172A83893698E44A470D8F47C2F0BDBE28EF4E65DE04AEA6557855BCD2D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.452{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC3EB991F908F329057685539818B04,SHA256=55E4A19942297758A1999CD5F98A9B71F892C9E65ECD24B14B2D4C85F3C5294F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 354300x8000000000000000200022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:30.504{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:32.935{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14589DEC5A56A30D2D6AB22DFC105AD,SHA256=493425CA7506E2CFF0B320AD2DC6E186B7B95DA111135B240B8AB27AF1A20099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:32.568{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CDF229728EBDC05CB1D1F1935A516A,SHA256=8C61B0CF791FE9A0EA6498D09F18BAF47020BE4B997C20D899FABBB9DE429B11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.084{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50634-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000290701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.713{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57161-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.713{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57161-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000290699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.613{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B30034459F7F203EC6D28AC878A5B1,SHA256=55C1E569398F0C81B70FA305A9E3C75B8E2BD34FD8DB20188C3823597C39D2BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.467{30B46F62-5B3D-6352-7803-000000008B02}47485828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.298{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.729{30B46F62-5B3E-6352-7903-000000008B02}76646724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.629{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566EB5DAA52A86A251ACF8E5D618F7B,SHA256=67FFAB1BE6763FB3E03EF7643A72086CE413C5937890269B4C63FB6AF0ABD2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:34.006{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2502073371A2C27323AFE90DF8616,SHA256=93058D4A2E486D54DA51373DD5FDA9B0F6784EB08272F05AE009DD8917CA7F0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.483{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.830{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.682{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688E2636C1536D4EC7B31C8BF631085A,SHA256=5EF12106D16D63E48DBB5E02499C30E9D322704C126E901B4B704F956CEDC321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:35.096{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A551EDEBFC2787C7BA7AA2362AEB8,SHA256=DCCFA6A9ED07C6C3230B1699EA79BB76C7E2DCFC2D6A1FB09C3F78B9B388332E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.313{30B46F62-5B3F-6352-7A03-000000008B02}52525572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.153{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.150{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.150{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:36.946{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EEC122B81C2A003FC12CA52D19FE841,SHA256=8FC420A37CB845E3EF61256685660828D99E34DB3619D180B997E66D835E1BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:36.813{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DE0A2AF6E0CB81408502952E75C07E,SHA256=DB5636C2F0378B230A514F97760D759E8EE6C5C0060FD174B369867B63CE5821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:36.188{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538BFC0F47074DD001051D4280EF68AE,SHA256=782B570A4530B825D02AB830A3C401A195586F848FC365A794296E804CB06687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.524{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57162-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:37.947{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCFE118FCA76AF8D2233BA6BFF383B3,SHA256=1F93CD21ACE6046E3228BFF2CF849E5282579C42E16E3330BCADBE111940A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:37.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FEA36CFBC465BE55DA5A7164607180,SHA256=A6493DCF236334FF240D3D879BB0A4EF784A53BB3D823BFD1CFA59EE7E37FEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:38.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529D1BFE4AA1F6F6498D0FE1EB87A6D,SHA256=05AAC5CA1273712C0804C86B130CDCF95ED0EC30C0B148DB655C035EE5CC358C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:39.450{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C196DA95CCFEA9A718675BC3BC0DD68,SHA256=FFE75C3E9F9F7AFDF87B3FACD9D022375D2226696881222449E4E9FEDAFE7F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:39.098{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416DD29F90DFDA12579A2D5474B1F93F,SHA256=0ED18F71A3039E7004BE91215B192E4B978C8AC6E1101F473EF7E9ABD224EF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:36.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50636-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:40.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C8653E5B8E01B8DC928E23E30F0558,SHA256=A453E39BE7E407EB507A137A0A2427494A51D9138862FFB8B9753B01972DFCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:40.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C3FB686B255108C6F1AEC90A2CA47B,SHA256=00084DBA2766FCAEFD3F46FF262C28F8F6103279586DBF93101E5A1C15E2E650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:41.648{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E29A8CE65C2526EBE452AFD282FA3A,SHA256=FB7414D963660EC791AF8F78EF8690FA08B6E6BEAC46E647B8F77BBA4C7F47B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:39.514{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57163-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:41.233{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E48EF16FCBFCAFE94CBCF3472C1A3E2,SHA256=9E2DD9C215F6DB8C5F60502CCCC0CAAFF3BA7C5B94EA37FA0DF9189C4F247C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:42.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7BF5D4F4D21505B58540553D71861F,SHA256=AC7CC01EBA2B8E6AE75EC91462F25AACE354123C4F865BD7F2FFFFC6812A63F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:42.300{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7063A6589CF4E9EF33E61086C4E3BBB9,SHA256=80A78AE9BD9A8C1D200AEF7EF25524A8AF58C0B6FFABD85BC5BEC91420A29E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:43.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E5EAE4979B284A1C3668678ACB820F,SHA256=974EC462A93BEF193A14DA683542E17BEAB1665C73978C5D0C4DB47590CFA493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.994{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.991{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.972{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.968{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.962{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.948{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.924{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.916{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.903{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.900{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.889{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.874{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.867{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.859{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.851{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.818{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.816{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000290739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.431{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D103BDE67E0A3F59E2299BC116D52BB9,SHA256=99D74FEE830F53E81DA45DE4EDE758A9CFAA21A63782C6BA8FCEE5CCF49E7899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:44.948{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44390A7C91D09B5E657EEF40E9E7AB43,SHA256=C7152DB569C9F324A954B2D21789528C413848E33B5C1C6FF516C513228B8E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.500{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979733AF17F3DAD3AB5B1DDA5546A099,SHA256=072623AB630DF913E5819A00E820F267BC35235C59337EA63620B69155ECD7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.385{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.381{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.007{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.002{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.000{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:45.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A897FA7807485B7ADB69BBCBF5BB69BF,SHA256=31066DBE00C096C8A88AFD721FE819C5096E3E3CF4929D81E9CCE8253EF1A11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.689{EFF5EEA8-5B49-6352-C602-000000008C02}23761604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.518{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000200035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:42.457{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.980{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.974{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.961{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.959{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.954{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.953{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.950{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.949{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.717{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C38B271F3C2C0FD675ADD1742D9EF82,SHA256=B5B870F39876B8217E5414D5FB4CC25458E137EAA9F0EC78C240D1F9DAB8D5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92D14BC71AE617247FB3D5377E35A7F,SHA256=3FC35AB9E1BADBB00A105E2308CCE9C1C704D881BA569A30254462F71C4CD985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.376{EFF5EEA8-5B4A-6352-C702-000000008C02}33041004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.191{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.033{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D234826E711472EA548623E9DFCF0C7,SHA256=8AF98DB1FBCA2A179D0345A5C991CEE49BC071EDF447119BCFCFFE1548D9DC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.434{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.433{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.430{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000200107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.972{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.502{EFF5EEA8-5B4B-6352-C902-000000008C02}36203588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.348{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DB7120D9858FD15F84D662D9D28B4A,SHA256=096B34100F214AE26E9062D17D7A141E876EFB57C131D10D6814D1B9797612FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=582A945DB27CE00FAF2AA0FB4E24B395,SHA256=5C03E853309D97BF4A407A8CD043D94AEAC76809C0514040B71977D039BACD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.159{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.158{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.155{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.116{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.113{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.110{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.106{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.100{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.099{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.097{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.091{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.085{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.051{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.041{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.036{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.013{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.002{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000200122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.580{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF51B71BA1CAFFE445CECC56941F9A9,SHA256=25F2ABC020AC101EC76114FECC67AAC789AA8B06AAA6B923B68A59B9CC637336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:45.417{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57164-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:48.050{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DD4F00A5868FF37A280BC275AFB1E,SHA256=C4363428390043EF49628DEDD5618110DF04B610862D9E9D1CA8CE801A92FCDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.112{EFF5EEA8-5B4B-6352-CA02-000000008C02}34642000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.768{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA2375249B3189D0938F51C2962F345,SHA256=50227A7549E4364ED92A501873C5099BCBF66FFEE91214997BACB7C0BEF34A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:49.105{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB4EA1C01767E8398926B98F3394612,SHA256=4B61CFB507965B9FEC500463BEECC1320895FD1BDD453870508A149A7F183734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.198{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.193{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.097{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CB2273F045529D36C80E417F38CA361,SHA256=2F1F0A8FB0ABD2FFBDAF818F81C359A27FC3FEAA82F4A1D44B9659DAAEB5967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:50.754{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29BC2629D6366FEE70517C95B0AC1AE,SHA256=DC051514E745C559DBCBEAC3CCACA2738842FEE83BC0D416EC486B82787E495D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.138{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F996293F048C78548F1C5CA3AC2EB670,SHA256=3D2BF5BB4D2AF4767E8A078E1B4044FA6FC0BB6ACDD93BF13BA3BA9DF240D286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.979{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.937{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.924{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000200147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.844{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4078B567E884789C983E75F2B12A13,SHA256=A62D0D72579546E4A217FFD277F02D3FBCF625C069984D80CE86F6023F94AC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.799{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.790{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.780{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000290809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.407{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.309{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.294{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.256{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2666A33F2375351C642092E6067B6D8,SHA256=082CDA2270411B2D15B4E53456D09288A934B883BDFE677A977403602B7F677A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.758{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57168-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.757{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57168-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.656{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57167-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.656{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57167-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000290814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:52.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E6E988D5045980E45E1ED13411251A3,SHA256=80A7755E74E21F2A0DB0405F446F4B1BE9BAD6F9261535C588D73F4C0F5DC7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:52.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3507D15FA288621ED94666660E87260D,SHA256=03DCE851B8E91042EF371A82BAEEBD891D320B0F8F56FDA76D35085D726324B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.644{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57166-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.644{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57166-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.553{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57165-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:53.409{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2ADCA2FDC5C52ED2A94847849246EC,SHA256=B2354F4CF7493EA3419D5D583DD6F3B16369AAD374ACC9B161880E4F3D936064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:53.300{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04313C4F222D997A7FB535A347AEBE4,SHA256=88FEBA035EE6A1073B24DD09F273D56A0033082E5ED8BFCACDC174226108811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:54.509{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE38EEE9DA1F25D4E736FA3A7DFD98F,SHA256=3D3FDF9C8201331AEFA181D298D477EABC3BE7DBD8C81DBFB9D77E7D8BCCB101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:54.354{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5CB3B98E2596CAAF2D23BA07F408EE,SHA256=CA510E8E62B1803CEE92C25DBEE89989DB36011A34EE5813C5743A41EDF8ECC8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000290825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000290824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000290823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.959{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.958{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70755C6B7EC6EB3785F5B0D28C344E3F,SHA256=5BD25ED2CB5D3E0AB7E0D3BF0E3EF377C0703698A2357D5C5BFD4DA69AF7A924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:53.440{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:55.437{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FA694D6BE7C1A79859ADDE29813BC5,SHA256=093ED6DA461E5A443C14D8E7D633A047FFA8D64E1958FAA07885EF72524207B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.664{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B92447013E4E46995ECF41D3A4A80C,SHA256=25DA0A9B98BFA5886CD2C8B944EDD63FA4FB0F52FD869DD1B0981B12B815C9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:56.530{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606150BB1184A1F0EB7A6527018F1A6B,SHA256=C8E90A67E29CEBDAD6E77167248A97D6E86D74AD27982ECF86DB0CBB3071EB64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.157{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57170-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.157{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57170-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.322{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local54699-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 23542300x8000000000000000290839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.911{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B031E81E7EFCF9364314B80C3947E68E,SHA256=EBE6F8D6DDDCC7CB149D5A27B83BEC725A71969D97528969BD1388133133B111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462C4B3BC666C044FEF64A3E5D343D06,SHA256=3319C5EA1CB9AD193FEC8745556A1E731AD78B309B3800BABF12EBD00BED5A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:57.622{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C617BC5E8DCA6723602D43B36B50B269,SHA256=FF51E31422CEABB75B7BC77DD9DDF6E09FE19FC1E8C6BE169C81196B13264509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.645{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.641{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.640{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000290832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.306{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57169-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000290831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.306{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57169-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000200176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:58.716{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F18939DA3483AE88B141E2F268C4FD6,SHA256=ABFA6AEF6317B3A29F687D5AE3816E1EB8516A03620A7D24A01DBF36A1CF5320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.983{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57172-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.983{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57172-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.489{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57171-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCEBB385969942C3A3C80C5D28EE846,SHA256=3689C229673A308A47E71A099044F96B938AA12E301CF8BEEB538809B683B212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:59.803{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E68288341E9ABB7B61E3FE52B16A3B,SHA256=4B03F286F29C224878D3C6F8DD564F658ED7B87786FFC834C13B7E7F30A339ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:59.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999D49D39A816FE7BB0DEB94EADCAB00,SHA256=B9163B9591C096915C187DB6437BE05FEE270487B4EB4223CD58BB559A5DAB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:00.880{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C52DF9E0E18286A63A3DA9F6C5B453,SHA256=7C06C902D83776D140D5DB420E0208E4328F8257B801E2DD7F3C6B66D6753F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:00.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A334C5736D3BB9ECC253B442E858847C,SHA256=AE0EFD79F6D7D6D264AF8A54749FC24A95F20DE48F533652AA3D2172D3F6D7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:01.979{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F561CC7C872F9ED20645C668917DA0,SHA256=292DFA107B896428F7F051E9225D82D711A084F637CDBBA855B6120A258C712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:01.685{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4F77AC97E43573D2372E77A66C20F4A3,SHA256=678A12F3F545ED04BF8A4C78EFCE0B1985EDCDA389D84FAA5F4D2AAA12B0174A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000290856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.409{30B46F62-4D08-6352-6F01-000000008B02}2076prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000290855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.406{30B46F62-4D08-6352-6F01-000000008B02}2076prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000290854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.413{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57173-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000290853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.402{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50199- 354300x8000000000000000290852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.401{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-64619-false127.0.0.1-53domain 354300x8000000000000000290851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.373{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64619- 354300x8000000000000000290850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.373{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98e0:61e6:2cd:ffff-64619-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000290849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.349{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64619- 23542300x8000000000000000290858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:02.067{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFA2F519FC2575C416A83A25D3475C8,SHA256=51B47154865412B8C4355EA9202FC4D727FD6002081221DD8EFCC437DA363640,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:59.349{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:03.061{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1BABC3FB80DC771208FE3DC0513EA5,SHA256=6169DFA6C3CEE232E510214A5DE54C72AF2D428EC880BB5990E3A39278231547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.996{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.986{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.973{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.966{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=03769CECD2CC55A1102BE64FAE35BCF5,SHA256=BFD4F5D627DF8F7104D6BF16EC738E2B410928A645DA69A5F1ED543553DEB82E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.962{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.929{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.900{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.887{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.874{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.818{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.815{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842977C5E2F22BABA5FE2A0A4388F8E9,SHA256=91E8FE007BE75F95295C259EDA28556F8B4D671EBB0B9F377475DF0842009475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.185{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA58DAB2E35CB09FD84B83448A67DD4C,SHA256=4FA89351D65C8287C68EAF800467119E057428FA0DBD5E0D1766A41544A09D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:04.858{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7BF6300686CE31E949BE5713BF6D478,SHA256=E510C66F167CD943A0CA3B944998D8D8F634B1D7D8620392D7167F009A2FAA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:04.145{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923DD9ED0426741DF2A543289A345079,SHA256=30E2044570AF7F67DBBF1658FAC3889947058D4EFD50E03317BFE4D0A985E2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.503{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.499{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.280{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1D3178CCCBDCDF7C0212A6864057FF,SHA256=DED111CD66C84276B5745BB39472452D4DF999A6AD02814228F7F2F2A874DA14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.081{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.074{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.062{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.046{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.039{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.031{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.014{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000200184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:05.233{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F031134C7031CA1A61FB8F0B29C66DDD,SHA256=E8A99D6338E7C197C2B7946ADE368E934142F66F0CFDD9E91C10D048AA48944E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:05.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD44759FE8FB5A50701CC58CCFEFA3DE,SHA256=CE54D0010F5B0BA261F1758AFD0F0D17048E9ADB41F3518609D24E3CD662A3CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:02.508{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57174-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:06.732{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-078MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:06.325{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A3F898ADF023C40E07E86864BC7236,SHA256=04EA37B6C2B946A91AE604AEFB8C3FC53671FCA75C6929659E23C9E8C19DB50F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.535{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.533{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.531{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.463{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BC2617B36BA55FECBEF10BCF54BD58,SHA256=9622CD53D399E26DE67C2652B696B9E18028894EFDCC72C6805736C396902601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.717{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7B706A85E49A8E309606E2FCBF62DD,SHA256=32F91CCE87AB14393747AA5B5307074A4B6365452BF6EC8D4DFF8AA07A40BD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:07.732{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:07.417{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136802C68C8E50474688D6AA371FDD55,SHA256=034908AC280CFCE8ED082261042BF022509285E87FF053951509E16B188F8D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:05.372{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000290925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:42:07.334{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e529-0x0090ece9) 10341000x8000000000000000290924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.212{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.198{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.196{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.194{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.192{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.188{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.183{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.182{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.180{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.175{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.171{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.169{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.136{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.127{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.124{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.108{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.063{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.057{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.055{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.052{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.051{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.049{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.048{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:08.833{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A8A2D4CAC4C923B802E93714563D3,SHA256=6632738A2309FD8F1C3D63C00E980ADBB1A5D8A9CFD42D0633ECEE6248B58D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:08.507{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0760F358E3CD747D7BDAE2D56AD9CE4C,SHA256=EBF1E4F6EA2983D0CB82D2727517323F37A876728D3885E713C14E00ECE09B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:09.596{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424836B07B338D0066D2DEF785A120B1,SHA256=0205C76C94C8A311A9CE1B4E5F77F46BEC27EA915C37D7714539374D96DDCA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:09.949{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD53CF96A3FF3BAFA1578BD4A19CE6E1,SHA256=AD61389D468F1E1F46818DDC3EE58106F943960B92CF6E6D4AC0D85603267CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:10.988{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A04CEF9C58AEE051A65A4C82A775C8,SHA256=4C964628FFFBDF8CE4E8882F148D407CE1A9742FD79A0141F1B565280799C79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:10.687{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FEE73576138E6C88D230198E9020B3,SHA256=DBD3AF3650FFB31538CB9832011C2FB6899C83F87A424B3A41F849ADCE00DEC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.564{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57175-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150)